Android Trojan Exploits Accessibility Services for the Disabled to Autofill Forms (Mar 28, 2019)
A new Android trojan, "Gustuff," has been discovered by researchers from Group-IB that utilises a mobile phone's Accessibility Services to autofill banking applications amongst others. It is initially distributed via a text message with a link to a malicious Android Package file (APK) and if clicked, it installs the trojan and interacts with the user's Accessibility Services to communicate with other applications. The trojan targets banking applications, cryptocurrency, fintech, marketplaces, online stores, and payment systems such as PayPal and eBay. Gustuff can display fake notifications with the legitimate icons of an application that allows for either a fake pop-up window for the user to enter the requested personal or payment details, or the legitimate application opens and auto fills the payment field using Accessibility Services to make illicit transactions. Gustuff can also send information about the infected device to a Command and Control (C2) server, read and send text messages, send USSD requests, launch SOCKS5 Proxy, follow links, transfer files to the C2, and reset the device to factory settings.
Recommendation: Always keep your mobile phone fully patched with the latest security updates. Use the Google Play Store or Apple App Store to obtain your software, and avoid downloading applications, even if they appear legitimate, from third-party stores or from dodgy text messages. Furthermore, it is paramount that mobile devices be kept up-to-date with the latest security patches and employ trusted antivirus software.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.