Gustuff is mobile malware designed to steal users' banking and virtual currency credentials.[1]

ID: S0406
Platforms: Android
Version: 1.0
Created: 03 September 2019
Last Modified: 14 October 2019

Techniques Used

Domain ID Name Use
Mobile T1437 .001 Application Layer Protocol: Web Protocols

Gustuff communicates with the command and control server using HTTP requests.[1]

Mobile T1533 Data from Local System

Gustuff can capture files and photos from the compromised device.[1]

Mobile T1628 .001 Hide Artifacts: Suppress Application Icon

Gustuff hides its icon after installation.[2]

Mobile T1629 .001 Impair Defenses: Prevent Application Removal

Gustuff may prevent application removal by abusing Android’s performGlobalAction(int) API call.

Mobile T1417 .001 Input Capture: Keylogging

Gustuff abuses accessibility features to intercept all interactions between a user and the device.[1]

.002 Input Capture: GUI Input Capture

Gustuff uses WebView overlays to prompt the user for their device unlock code, as well as banking and cryptocurrency application credentials. Gustuff can also send push notifications pretending to be from a bank, triggering a phishing overlay.[1][2]

Mobile T1516 Input Injection

Gustuff injects the global action GLOBAL_ACTION_BACK to mimic pressing the back button to close the application if a call to an open antivirus application is detected.[1]

Mobile T1406 Obfuscated Files or Information

Gustuff obfuscated command information using a custom base85-based encoding.[1]

.002 Software Packing

Gustuff code is both obfuscated and packed with an FTT packer.[1]

Mobile T1644 Out of Band Data

Gustuff can use SMS for command and control from a defined admin phone number.[1]

Mobile T1636 .003 Protected User Data: Contact List

Gustuff can collect the contact list.[1]

.004 Protected User Data: SMS Messages

Gustuff can intercept two-factor authentication codes transmitted via SMS.[1]

Mobile T1418 .001 Software Discovery: Security Software Discovery

Gustuff checks for antivirus software contained in a predefined list.[1]

Mobile T1426 System Information Discovery

Gustuff gathers information about the device, including the default SMS application, if SafetyNet is enabled, the battery level, the operating system version, and if the malware has elevated permissions.[1]

Mobile T1422 System Network Configuration Discovery

Gustuff gathers the device IMEI to send to the command and control server.[1]