189 Australian banks, finserv providers attacked by SMS-borne malware

By on
189 Australian banks, finserv providers attacked by SMS-borne malware

'Gustuff' malware ships with catalogue of fake logon screens, localised targeting mechanisms.

Cisco’s Talos security business has detected what it’s described as “a new Android-based campaign targeting Australian financial institutions.”

The firm’s explanation of the attack detected an advertisement on an exploit-hawking website that offers malware called “Gustuff” that claims it can attack Westpac, NAB, St George Bank, ING Direct, BankWest, Bank SA and other Australian financial institutions. Talos said it found a 189 sets of logos for Australian banks and cryptocurrency exchanges in the malware.

Those logos come in handy once the malware gets into a user’s Android phone, which is possible if soon-to-be-victims click on a link in an SMS message. Doing so installs malware that exfiltrates a user’s address book so that botnet can harvest mobile numbers it contains and send more SMSes bearing dodgy links.

Once the malware is installed, it creates overlay applications that ask users to log into an online banking service. This is where the 189 logos come into play, as those overlays do a decent job of replicating banking sites’ look and feel.

One of the fake overlays installed by the Gustuff malware

If users fall for the logon screens, the malware’s operators harvest their login credentials. And things presumably go south pretty fast after that.

The good news is that the malware appears to require intervention to operate, which Talos suggest could be one reason it’s only seeing about three requests per hour to the botnet. But the firm added that “that the malicious operator is aggressively spreading the malware, but that doesn't seem to result in the same number of new infections.”

The bad news is that once it runs, the malware can harvest SMS messages and therefore defeat two-factor authentication if it uses SMS. Talos therefore recommends client-side two-factor authentication as an alternative to SMS.

Talos also suggests that while Gustuff is currently targeting Australian financial institutions, that’s an indication of criminal intent rather than evidence of a local threat. The firm reached that conclusion by noting that the malware has a country selection dialog that malware authors could use to target other nations.

This will be a tricky attack to defeat, as the malware goes to great lengths to stop anti-virus software running on Android devices and also tries to avoid being placed into sandboxes that would make it harder to touch other apps and Android processes.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
banks cisco talos finance malware networking security

Sponsored Whitepapers

DevSecOps: A framework for digital innovation
DevSecOps: A framework for digital innovation
Encryption: Protect your most critical data
Encryption: Protect your most critical data
Overcoming data security challenges in a hybrid, multicloud world
Overcoming data security challenges in a hybrid, multicloud world
Move beyond passwords
Move beyond passwords
The top 5 tech trends to deliver business outcomes
The top 5 tech trends to deliver business outcomes

Events

Most Read Articles

CBA becomes first 'Big 4' data recipient under CDR

CBA becomes first 'Big 4' data recipient under CDR
NSW Police green-lights Mark43 for $1bn COPS overhaul

NSW Police green-lights Mark43 for $1bn COPS overhaul
Urgent patches out for exploited Exchange Server zero-days

Urgent patches out for exploited Exchange Server zero-days
NBN Co to start consulting on gigabit speeds for FTTC

NBN Co to start consulting on gigabit speeds for FTTC
You must be a registered member of iTnews to post a comment.
| Register

Log In

Username / Email:
Password:
  |  Forgot your password?