189 Australian banks, finserv providers attacked by SMS-borne malware

Cisco’s Talos security business has detected what it’s described as “a new Android-based campaign targeting Australian financial institutions.”

The firm’s explanation of the attack detected an advertisement on an exploit-hawking website that offers malware called “Gustuff” that claims it can attack Westpac, NAB, St George Bank, ING Direct, BankWest, Bank SA and other Australian financial institutions. Talos said it found a 189 sets of logos for Australian banks and cryptocurrency exchanges in the malware.

Those logos come in handy once the malware gets into a user’s Android phone, which is possible if soon-to-be-victims click on a link in an SMS message. Doing so installs malware that exfiltrates a user’s address book so that botnet can harvest mobile numbers it contains and send more SMSes bearing dodgy links.

Once the malware is installed, it creates overlay applications that ask users to log into an online banking service. This is where the 189 logos come into play, as those overlays do a decent job of replicating banking sites’ look and feel.

One of the fake overlays installed by the Gustuff malware

If users fall for the logon screens, the malware’s operators harvest their login credentials. And things presumably go south pretty fast after that.

The good news is that the malware appears to require intervention to operate, which Talos suggest could be one reason it’s only seeing about three requests per hour to the botnet. But the firm added that “that the malicious operator is aggressively spreading the malware, but that doesn't seem to result in the same number of new infections.”

The bad news is that once it runs, the malware can harvest SMS messages and therefore defeat two-factor authentication if it uses SMS. Talos therefore recommends client-side two-factor authentication as an alternative to SMS.

Talos also suggests that while Gustuff is currently targeting Australian financial institutions, that’s an indication of criminal intent rather than evidence of a local threat. The firm reached that conclusion by noting that the malware has a country selection dialog that malware authors could use to target other nations.

This will be a tricky attack to defeat, as the malware goes to great lengths to stop anti-virus software running on Android devices and also tries to avoid being placed into sandboxes that would make it harder to touch other apps and Android processes.