189 Australian banks, finserv providers attacked by SMS-borne malware

By on
189 Australian banks, finserv providers attacked by SMS-borne malware

'Gustuff' malware ships with catalogue of fake logon screens, localised targeting mechanisms.

Cisco’s Talos security business has detected what it’s described as “a new Android-based campaign targeting Australian financial institutions.”

The firm’s explanation of the attack detected an advertisement on an exploit-hawking website that offers malware called “Gustuff” that claims it can attack Westpac, NAB, St George Bank, ING Direct, BankWest, Bank SA and other Australian financial institutions. Talos said it found a 189 sets of logos for Australian banks and cryptocurrency exchanges in the malware.

Those logos come in handy once the malware gets into a user’s Android phone, which is possible if soon-to-be-victims click on a link in an SMS message. Doing so installs malware that exfiltrates a user’s address book so that botnet can harvest mobile numbers it contains and send more SMSes bearing dodgy links.

Once the malware is installed, it creates overlay applications that ask users to log into an online banking service. This is where the 189 logos come into play, as those overlays do a decent job of replicating banking sites’ look and feel.

One of the fake overlays installed by the Gustuff malware

If users fall for the logon screens, the malware’s operators harvest their login credentials. And things presumably go south pretty fast after that.

The good news is that the malware appears to require intervention to operate, which Talos suggest could be one reason it’s only seeing about three requests per hour to the botnet. But the firm added that “that the malicious operator is aggressively spreading the malware, but that doesn't seem to result in the same number of new infections.”

The bad news is that once it runs, the malware can harvest SMS messages and therefore defeat two-factor authentication if it uses SMS. Talos therefore recommends client-side two-factor authentication as an alternative to SMS.

Talos also suggests that while Gustuff is currently targeting Australian financial institutions, that’s an indication of criminal intent rather than evidence of a local threat. The firm reached that conclusion by noting that the malware has a country selection dialog that malware authors could use to target other nations.

This will be a tricky attack to defeat, as the malware goes to great lengths to stop anti-virus software running on Android devices and also tries to avoid being placed into sandboxes that would make it harder to touch other apps and Android processes.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
banks cisco talos finance malware networking security

Sponsored Whitepapers

7 guidelines to deliver tangible results quickly
7 guidelines to deliver tangible results quickly
Power your firm's intelligent digital workplace with digital document processes
Power your firm's intelligent digital workplace with digital document processes
Give your employees a positive UX
Give your employees a positive UX
Customer Identity and Access Management for Dummies
Customer Identity and Access Management for Dummies
Modernise Government Agencies with Oracle's next-generation cloud services
Modernise Government Agencies with Oracle's next-generation cloud services

Events

Most Read Articles

Major banks' online services, airline systems go down

Major banks' online services, airline systems go down
NBN Co says 5G competition is challenging its monopoly status

NBN Co says 5G competition is challenging its monopoly status
AFP told to end over-reliance on network drives

AFP told to end over-reliance on network drives
Govt to mandate Essential Eight cyber security controls

Govt to mandate Essential Eight cyber security controls

Log In

Email:
Password:
  |  Forgot your password?