{
	"id": "b508e6ac-d9e9-40b1-adc9-d88295ed8be1",
	"created_at": "2026-05-05T02:46:33.990281Z",
	"updated_at": "2026-05-05T02:46:36.881334Z",
	"deleted_at": null,
	"sha1_hash": "08a7699c39f79bf4bfff2443968d5e7f91a3512f",
	"title": "Group-IB uncovers Android Trojan named «Gustuff» capable of targeting more than 100 global banking apps, cryptocurrency and marketplace applications",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 181075,
	"plain_text": "Group-IB uncovers Android Trojan named «Gustuff» capable\r\nof targeting more than 100 global banking apps, cryptocurrency\r\nand marketplace applications\r\nArchived: 2026-05-05 02:21:56 UTC\r\nGroup-IB, an international company that specializes in preventing cyberattacks, has detected activity of Gustuff\r\na mobile Android Trojan, which includes potential targets of customers in leading international banks, users\r\nof cryptocurrency services, popular ecommerce websites and marketplaces. Gustuff has previously never been\r\nreported. Gustuff is a new generation of malware complete with fully automated features designed to steal both\r\nfiat and crypto currency from user accounts en masse. The Trojan uses the Accessibility Service, intended to assist\r\npeople with disabilities.\r\nThe analysis of Gustuff sample revealed that the Trojan is equipped with web fakes designed to potentially target\r\nusers of Android apps of top international banks including Bank of America, Bank of Scotland, J.P.Morgan, Wells\r\nFargo, Capital One, TD Bank, PNC Bank, and crypto services such as Bitcoin Wallet, BitPay, Cryptopay,\r\nCoinbase etc. Group-IB specialists discovered that Gustuff could potentially target users of more than 100 banking\r\napps, including 27 in the US, 16 in Poland, 10 in Australia, 9 in Germany, and 8 in India and users\r\nof 32 cryptocurrency apps.\r\nInitially designed as a classic banking Trojan, in its current version, Gustuff has significantly expanded the list\r\nof potential targets, which now includes, besides banking, crypto services and fintech companies’ Android\r\nprograms, users of apps of marketplaces, online stores, payment systems and messengers, such as PayPal, Western\r\nUnion, eBay, Walmart, Skype, WhatsApp, Gett Taxi, Revolut etc.\r\nWeapon of mass infection\r\nGustuff infects Android smartphones through SMS with links to malicious Android Package (APK) file, the\r\npackage file format used by the Android operating system for distribution and installation of applications. When\r\nan Android device is infected with a Gustuff, at the server’s command Trojan spreads further through the infected\r\ndevice’s contact list or the server database. Gustuff’s features are aimed at mass infections and maximum profit\r\nfor its operators — it has a unique feature — ATS (Automatic Transfer Systems), that autofills fields in legitimate\r\nmobile banking apps, cryptocurrency wallets and other apps, which both speeds and scales up thefts.\r\nThe analysis of the Trojan revealed that the ATS function is implemented with the help of the Accessibility\r\nService, which is intended for people with disabilities. Gustuff is not the first Trojan to successfully bypass\r\nsecurity measures against interactions with other apps’ windows using Android Accessibility Service. That being\r\nsaid, the use of the Accessibility Service to perform ATS has so far been a relatively rare occurrence.\r\nAfter being uploaded to the victim’s phone, the Gustuff uses the Accessibility Service to interact with elements\r\nof other apps’ windows including cryptocurrency wallets, online banking apps, messengers etc. The Trojan can\r\nperform a number of actions, for example, at the server’s command, Gustuff is able to change the values of the\r\nhttps://www.group-ib.com/media/gustuff/\r\nPage 1 of 4\n\ntext fields in banking apps. Using the Accessibility Service mechanism means that the Trojan is able to bypass\r\nsecurity measures used by banks to protect against older generation of mobile Trojans and changes to Google’s\r\nsecurity policy introduced in new versions of the Android OS. Moreover, Gustuff knows how to turn off Google\r\nProtect; according to the Trojan’s developer, this feature works in 70% of cases.\r\nGustuff is also able to display fake push notifications with legitimate icons of the apps mentioned above. Clicking\r\non fake push notifications has two possible outcomes: either a web fake downloaded from the server pops up and\r\nthe user enters the requested personal or payment (card/wallet) details; or the legitimate app that purportedly\r\ndisplayed the push notification opens — and Gustuff at the server’s command and with the help of the\r\nAccessibility Service, can automatically fill payment fields for illicit transactions.\r\nThe malware is also capable of sending information about the infected device to the C\u0026C server, reading/sending\r\nSMS messages, sending USSD requests, launching SOCKS5 Proxy, following links, transferring files (including\r\ndocument scans, screenshots, photos) to the C\u0026C server, and resetting the device to factory settings.\r\nIn order to better protect their clients against mobile Trojans, the companies need to use complex solutions which\r\nallow to detect and prevent malicious activity without additional software installation for end-user. Signature-based detection methods should be complemented with user and application behaviour analytics. Effective cyber\r\ndefence should also incorporate a system of identification for customer devices (device fingerprinting) in order\r\nto be able to detect usage of stolen account credentials from unknown device. Another important element is cross-channel analytics that help to detect malicious activity in other channels.\r\nPavel Krylov\r\nHead of Fraud Protection / Fraud Protection\r\nUsed mainly outside Russia\r\nhttps://www.group-ib.com/media/gustuff/\r\nPage 2 of 4\n\nAlthough the Trojan was developed by a Russian-speaking cybercriminal, Gustuff operates exclusively\r\non international markets.\r\nAll new Android Trojans offered on underground forums, including Gustuff, are designed to be used mainly\r\noutside Russia, and target customers of international companies. In Russia, after the owners of the largest Android\r\nbotnets were arrested, the number of daily thefts decreased threefold, Trojans’ activity became significantly less\r\nwidespread, and their developers focused to others markets. However some hackers „patch“ (modify) the Trojan\r\nsamples and reuse it in their attacks on users in Russia.\r\nRustam Mirkasymov\r\nGroup-IB Head of Dynamic Analysis of malware department and threat intelligence expert\r\nGroup-IB’s Threat Intelligence system first discovered Gustuff on hacker forums in April 2018. According to its\r\ndeveloper, nicknamed Bestoffer, Gustuff became the new, updated version of the AndyBot malware, which since\r\nNovember 2017 has been attacking Android phones and stealing money using web fakes disguised as mobile apps\r\nof prominent international banks and payment systems. Gustuff is a «serious product for individuals with skills\r\nand experience», as advertised by the Trojan’s developer. The price for leasing the «Gustuff Bot» was $800 per\r\nmonth. Group-IB Threat Intelligence customers were notified about Gustuff upon discovery. A team of Group-IB\r\nanalysts continue to research the Trojan.\r\nAbout Group-IB\r\nEstablished in 2003, Group-IB is a leading creator of predictive cybersecurity technologies to investigate, prevent,\r\nand fight digital crime globally. Headquartered in Singapore, and with Digital Crime Resistance Centers in the\r\nAmericas, Europe, Middle East and Africa, Central Asia, and the Asia-Pacific, Group-IB delivers predictive,\r\nintelligence-driven defense by analysing and neutralizing regional and country-specific cyber threats via its\r\nUnified Risk Platform, offering unparalleled defense through its industry-leading Cyber Fraud Intelligence\r\nhttps://www.group-ib.com/media/gustuff/\r\nPage 3 of 4\n\nPlatform, Cloud Security Posture Management, Threat Intelligence, Fraud Protection, Digital Risk Protection,\r\nManaged Extended Detection and Response (XDR), Business Email Protection, and External Attack Surface\r\nManagement solutions, catering to government, retail, healthcare, gaming, financial sectors, and beyond. Group-IB collaborates with international law enforcement agencies like INTERPOL, Europol, and AFRIPOL to fortify\r\ncybersecurity worldwide, and has been awarded by advisory agencies including Datos Insights, Gartner, Forrester,\r\nFrost \u0026 Sullivan, and KuppingerCole.\r\nFor more information, visit us at www.group-ib.com or connect with us on LinkedIn, X, Facebook, and Instagram.\r\nDiscover our podcasts to hear from leading voices on Masked Actors and Fraud Intel, where top cybersecurity\r\nexperts share real-world experiences, emerging trends, and practical insights to help you stay one step ahead in the\r\nfight against cyber crime.\r\nSource: https://www.group-ib.com/media/gustuff/\r\nhttps://www.group-ib.com/media/gustuff/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.group-ib.com/media/gustuff/"
	],
	"report_names": [
		"gustuff"
	],
	"threat_actors": [],
	"ts_created_at": 1777949193,
	"ts_updated_at": 1777949196,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/08a7699c39f79bf4bfff2443968d5e7f91a3512f.pdf",
		"text": "https://archive.orkl.eu/08a7699c39f79bf4bfff2443968d5e7f91a3512f.txt",
		"img": "https://archive.orkl.eu/08a7699c39f79bf4bfff2443968d5e7f91a3512f.jpg"
	}
}