2 min

A newly discovered form of Android malware has stolen crypto currency and bank data from over 125 different apps. The malware called Gustuff was discovered by Group-IB security researchers. The Trojan would become more popular among cybercriminals because it was made specifically for banking and crypto resources.

Gustuff would be about a year old, but has only just come to the attention of the public. The malware sits quietly for a while – often without anyone noticing – in the background, before it surreptitiously steals financial data. Gustuff focuses on a hundred bank apps, 27 of which are in the US. Sixteen apps come from Poland, ten from Australia, nine from Germany and eight from India. It also focuses on 32 apps for cryptographic currency. These include Coinbase and Bitcoin Wallet.

Gustuff was initially designed as a classic banking trojan, but the current version has significantly expanded the list of potential targets, the researchers argue. This list now also includes users of apps from marketplaces, online shops, payment systems and messengers such as PayPal, eBay, Skype and WhatsApp.


Gustuff is further distributed mainly via SMS messages with links to rogue Android package files. Android uses MOT files to install applications. When a user clicks on a malicious link and installs an infected application, the malware spreads quickly within the victim’s device. In doing so, it searches for both the contact list and installed applications.

The malware wants to infect as many devices as possible and raise as much money as possible for its creators. It has a unique function for that, called “Automatic Transfer Systems”. This feature can automatically fill in legitimate banking and cryptographic currency apps to steal money. It also has the ability to display fake push messages with legitimate icons of the apps it has in mind. Users who click on those notifications are misled into sharing login or credit card information.

Security researchers recommend that companies use signature-based detection methods to better protect customers from malware. It is unclear whether large antivirus and malware companies are already detecting Gustuff.

This news article was automatically translated from Dutch to give Techzine.eu a head start. All news articles after September 1, 2019 are written in native English and NOT translated. All our background stories are written in native English as well. For more information read our launch article.