189 Australian banks, finserv providers attacked by SMS-borne malware

By on
189 Australian banks, finserv providers attacked by SMS-borne malware

'Gustuff' malware ships with catalogue of fake logon screens, localised targeting mechanisms.

Cisco’s Talos security business has detected what it’s described as “a new Android-based campaign targeting Australian financial institutions.”

The firm’s explanation of the attack detected an advertisement on an exploit-hawking website that offers malware called “Gustuff” that claims it can attack Westpac, NAB, St George Bank, ING Direct, BankWest, Bank SA and other Australian financial institutions. Talos said it found a 189 sets of logos for Australian banks and cryptocurrency exchanges in the malware.

Those logos come in handy once the malware gets into a user’s Android phone, which is possible if soon-to-be-victims click on a link in an SMS message. Doing so installs malware that exfiltrates a user’s address book so that botnet can harvest mobile numbers it contains and send more SMSes bearing dodgy links.

Once the malware is installed, it creates overlay applications that ask users to log into an online banking service. This is where the 189 logos come into play, as those overlays do a decent job of replicating banking sites’ look and feel.

One of the fake overlays installed by the Gustuff malware

If users fall for the logon screens, the malware’s operators harvest their login credentials. And things presumably go south pretty fast after that.

The good news is that the malware appears to require intervention to operate, which Talos suggest could be one reason it’s only seeing about three requests per hour to the botnet. But the firm added that “that the malicious operator is aggressively spreading the malware, but that doesn't seem to result in the same number of new infections.”

The bad news is that once it runs, the malware can harvest SMS messages and therefore defeat two-factor authentication if it uses SMS. Talos therefore recommends client-side two-factor authentication as an alternative to SMS.

Talos also suggests that while Gustuff is currently targeting Australian financial institutions, that’s an indication of criminal intent rather than evidence of a local threat. The firm reached that conclusion by noting that the malware has a country selection dialog that malware authors could use to target other nations.

This will be a tricky attack to defeat, as the malware goes to great lengths to stop anti-virus software running on Android devices and also tries to avoid being placed into sandboxes that would make it harder to touch other apps and Android processes.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
banks cisco talos finance malware networking security

Most Read Articles

'Zerologon' Windows domain admin bypass exploit released

'Zerologon' Windows domain admin bypass exploit released
Aussie Broadband boss says NBN Co could change price construct in months, if it wanted to

Aussie Broadband boss says NBN Co could change price construct in months, if it wanted to
Service NSW's in-app contact tracing tool goes live statewide

Service NSW's in-app contact tracing tool goes live statewide
Macquarie University brings Accenture onboard for HR transformation

Macquarie University brings Accenture onboard for HR transformation
You must be a registered member of iTnews to post a comment.
| Register

Whitepapers from our sponsors

A Migration Guide For Businesses Switching Mobile Device Management Solutions
A Migration Guide For Businesses Switching Mobile Device Management Solutions
Plan your post-COVID security strategy
Plan your post-COVID security strategy
The Executive's Guide To The Future Of Work
The Executive's Guide To The Future Of Work
Government Digital Transformation Requires Customer Obsession
Government Digital Transformation Requires Customer Obsession
Master the fundamentals of AWS cost efficiency
Master the fundamentals of AWS cost efficiency

Events

Log In

Username / Email:
Password:
  |  Forgot your password?