189 Australian banks, finserv providers attacked by SMS-borne malware

By on
189 Australian banks, finserv providers attacked by SMS-borne malware

'Gustuff' malware ships with catalogue of fake logon screens, localised targeting mechanisms.

Cisco’s Talos security business has detected what it’s described as “a new Android-based campaign targeting Australian financial institutions.”

The firm’s explanation of the attack detected an advertisement on an exploit-hawking website that offers malware called “Gustuff” that claims it can attack Westpac, NAB, St George Bank, ING Direct, BankWest, Bank SA and other Australian financial institutions. Talos said it found a 189 sets of logos for Australian banks and cryptocurrency exchanges in the malware.

Those logos come in handy once the malware gets into a user’s Android phone, which is possible if soon-to-be-victims click on a link in an SMS message. Doing so installs malware that exfiltrates a user’s address book so that botnet can harvest mobile numbers it contains and send more SMSes bearing dodgy links.

Once the malware is installed, it creates overlay applications that ask users to log into an online banking service. This is where the 189 logos come into play, as those overlays do a decent job of replicating banking sites’ look and feel.

One of the fake overlays installed by the Gustuff malware

If users fall for the logon screens, the malware’s operators harvest their login credentials. And things presumably go south pretty fast after that.

The good news is that the malware appears to require intervention to operate, which Talos suggest could be one reason it’s only seeing about three requests per hour to the botnet. But the firm added that “that the malicious operator is aggressively spreading the malware, but that doesn't seem to result in the same number of new infections.”

The bad news is that once it runs, the malware can harvest SMS messages and therefore defeat two-factor authentication if it uses SMS. Talos therefore recommends client-side two-factor authentication as an alternative to SMS.

Talos also suggests that while Gustuff is currently targeting Australian financial institutions, that’s an indication of criminal intent rather than evidence of a local threat. The firm reached that conclusion by noting that the malware has a country selection dialog that malware authors could use to target other nations.

This will be a tricky attack to defeat, as the malware goes to great lengths to stop anti-virus software running on Android devices and also tries to avoid being placed into sandboxes that would make it harder to touch other apps and Android processes.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
banks cisco talos finance malware networking security
In Partnership With

Most Read Articles

Wipro hacked, internal systems used to attack customers: report

Wipro hacked, internal systems used to attack customers: report
Vodafone makes aggressive play for 100Mbps NBN users

Vodafone makes aggressive play for 100Mbps NBN users
Photos: Inside Downer's "trains with brains" depot

Photos: Inside Downer's "trains with brains" depot
Optus sets $85 a month as its new entry-level NBN price

Optus sets $85 a month as its new entry-level NBN price
You must be a registered member of iTnews to post a comment.
| Register

Whitepapers from our sponsors

Stop Parasites on your Network with Sophos
Stop Parasites on your Network with Sophos
Stop your Oracle database slowing down your business
Stop your Oracle database slowing down your business
How Macquarie University has prepared for fire and flood
How Macquarie University has prepared for fire and flood
Guide to Fully-Composable Software-Defined Private Cloud
Guide to Fully-Composable Software-Defined Private Cloud
Is slow data silently killing your business? Here's why you should care.
Is slow data silently killing your business? Here's why you should care.

Events

Log In

Username / Email:
Password:
  |  Forgot your password?