Android Malware Targets Users of 32 Crypto Apps, Including Coinbase, BitPay

Published at: March 29, 2019

A new strain of Trojan malware for Android phones is targeting global users of top crypto apps such as Coinbase, BitPay and Bitcoin Wallet, as well as banks including JPMorgan, Wells Fargo, and Bank of America. The news was reported by technology news outlet The Next Web on March 28.

Based on research from prominent cybercrime analytics firm Group-IB, this is reportedly the first time the Trojan — now named “Gustuff” — has been reported or analyzed. The malware is described as being designed for mass infection and is spread by SMS messages with links to load malicious Android package kit files.

The malware’s creators have reportedly created “Automatic Transfer Systems” that aim to expedite and scale the thefts by triggering autofills of payment fields for legitimate Android apps to maliciously reroute transfers to the hackers.

The app is purported to issue a host of “web fakes” that mimic legitimate apps to phish for sensitive data from users — specifically targeting customers of as many as 32 different crypto apps. Push notifications using legitimate icons are a further device the malware uses to automate downloads of fake apps and trigger transaction autofills.

Group IB reportedly identified 27 fake crypto and banking apps specific to the United States, 16 for Poland, 10 for Australia, nine for Germany and nine for India. The malware also targets payment systems and messenger services such as PayPal, Revolut, Western Union, eBay, Walmart, Skype and WhatsApp.

In order to function, Gustaff reportedly exploits Android’s accessibility features designed for disabled users, with Group IB characterizing this as a relatively rare and effective trick:

“Using the Accessibility Service mechanism means that the Trojan is able to bypass [...] changes to Google’s security policy introduced in new versions of the Android OS. Moreover, Gustuff knows how to turn off Google Protect; according to the Trojan’s developer, this feature works in 70 percent of cases.”

Reportedly first traced to hacker forums from April 2018, Group IB notes that Gustuff has been designed by a Russian-speaking cybercriminal nicknamed “Bestoffer,” yet targets customers of international firms primarily outside of Russia.

Android users are advised by Group IB to download apps strictly from the Google Play store and pay attention to the extensions of downloaded files.

As reported in February, decentralized app MetaMask was recently pulled from Google Play after researchers detected malware impersonating the tool to steal crypto from users.

Tags
Related Posts
Reddit user warns of a copy & paste exploit that stole his crypto
A Reddit user operating under the name “seraf1990” warned of a copy & paste crypto scam that replaced a wallet address he copied from Coinbase with one belonging to scammers. According to seraf1990, he lost about $350 worth of Bitcoin (BTC) — money that he notes was meant to go towards his rent for next month. The post explains that seraf1990 was attempting to cash out some BTC by sending it from Binance to his account on Coinbase. After copying the exchange’s Bitcoin wallet address, he pasted it into the appropriate field back on Binance and completed the transaction “without …
Bitcoin / Aug. 26, 2020
Expert Warns: Don’t Trust Ransomware Groups Amid Pandemic
A cybersecurity expert explained why he is convinced that the promises made by ransomware groups amid the pandemic are irrelevant. Brett Callow — threat analyst at cybersecurity firm Emsisoft — told Cointelegraph that multiple ransomware groups recently made promises to halt their activity against medical organizations amid the coronavirus pandemic. Still, he believes that those promises are irrelevant: “The claims of a ceasefire made by ransomware groups are irrelevant [and] should be completely disregarded. Would you leave your front door unlocked simply because the local burglars had pinky-promised not to rob you? Probably not. The story of the frog and …
Blockchain / April 16, 2020
California Man Sues AT&T Over Loss of $1.8M and Crypto Accounts
California resident Seth Shapiro has filed a lawsuit against wireless service giant AT&T alleging that its employees helped to perpetrate a SIM-swap which resulted in the theft of over $1.8 million in total, including cryptocurrencies. The complaint filed on Oct. 17 claims that Shapiro is “a two-time Emmy Award-winning media and technology expert, author, and adjunct professor at the University of Southern California School of Cinematic Arts.” The lawsuit alleges that between May 16 and May 18 AT&T employees transferred access to Shapiro’s mobile phone to outside hackers: “AT&T employees obtained unauthorized access to Mr. Shapiro’s AT&T wireless account, viewed …
Cryptocurrencies / Oct. 20, 2019
Hackers Turn Twitter of Belgian Non-Profit Into Fake Coinbase Promo Account
The Twitter account of a Belgian non-profit was evidently hacked and made into a fake affiliate account of United States crypto exchange Coinbase. The impersonating account posted what what appeared to be a scam giveaway promotion, allegedly celebrating Coinbase's user base growth in a tweet today, Jan. 9, that has since been deleted. Scammers had targeted the account of the Federation of Enterprises in Belgium (FEB), a non-profit organization that aims to promote the interests of Belgian businesses. After taking control of the FEB’s Twitter account, the scammers transformed the account to appear to be affiliated with Coinbase. The account’s …
Cryptocurrencies / Jan. 10, 2019
Crypto’s recovery requires more aggressive solutions to fraud
It’s hardly an exaggeration to say that our industry is facing tough times. We’ve been in the midst of a “crypto winter” for some time now, with the prices of mainstays, including Bitcoin (BTC) and Ether (ETH), tumbling. Likewise, monthly nonfungible token (NFT) trading volumes have fallen more than 90% since their multibillion dollar peak back in January of this year. Of course, these declines have only been exacerbated by the numerous black swan events rocking the crypto world, such as the FTX and Three Arrows Capital meltdowns. Taken together, it shouldn’t be a surprise that crypto is facing a …
Cryptocurrencies / Dec. 30, 2022