Not good news for Android smartphone users! Our cooperation partner Kaspersky Lab have discovered a modified version of the so-called banking Trojan 'Gugi', which can bypass the new security features of Android 6.0 "Marshmallow" to block phishing and ransomware attacks .
The modified Trojan forces users to grant it rights so that it can overlay apps (display overlay), send and read SMS messages or make calls. Gugi spreads through social engineering and its use by cybercriminals is constantly growing: between April and early August 2016, the number of victims increased tenfold.
The target of the Gugi Trojan is mobile banking credentials and credit card details, which are stolen by overlaying the actual banking app with a phishing app or the Google Play Store. The new Android 6 operating system with new security features designed to block such attacks was introduced at the end of 2015. Among other things, apps now require user consent to overlay other apps and consent the first time they want to send an SMS message or make calls. The modified version of the Gugi Trojan discovered by Kaspersky Lab can bypass these features.
Gugi: Infection and activities
The Gugi infection is initially carried out through social engineering, usually by asking the user to click on a malicious link in a spam SMS. Once the Trojan has been installed on the device, it gets the access rights it needs. A message then appears on the display requesting the need for additional rights, which the user can only agree to. When the user does this, they will be asked if they want to allow the app to overlay other apps. After obtaining permission, the Trojan blocks the screen asking for “Trojan Device Administration” rights and asks for permission to send and view SMS messages and make calls.
The device will be locked!
If the Trojan does not receive all the rights requested, it blocks the infected device completely. If this happens, the user can only try to reboot the device in safe mode and uninstall the Trojan. However, this is made even more difficult if the Trojan has already received “Trojan Device Administration” rights.
Gugi is a typical banking Trojan: it steals financial credentials, SMS messages and contacts, makes USSD (Unstructured Supplementary Service Data) requests and sends SMS messages on command server instructions.
“Operating systems like Android regularly provide updates to improve their security features,” said Roman Unucheck, senior malware analyst at Kaspersky Lab. “At the same time, cybercriminals are relentless in their attempts to circumvent security features. With the discovery of Gugi, we can neutralize this new threat and help people protect their devices and data.”
This is how you can protect yourself!
To protect yourself from Gugi and other mobile malware threats, Kaspersky Lab recommends Android users:
- not to automatically grant rights and permissions to requesting apps - you should think about what you are requesting for and why;
- an anti-malware solution such as Kaspersky Internet Security for Android on all mobile devices and regularly update the operating system;
- avoid clicking on links in unknown or unexpected messages;
- Be careful when visiting websites: suspicious objects are usually not just suspicious.
The Trojan family 'Trojan-Banker.AndroidOS.Gugi' has been known since December 2015, although the modified form 'Trojan-Banker.AndroidOS.Gugi.c' was only discovered in June 2016. Kaspersky Lab products can detect all forms of Gugi Trojan malware.
A blog post on the subject of Gugi can be found at https://de.securelist.com/blog/mobile/71918/banking-trojan-gugi-evolves-to-bypass-android-6-protection
Notes:
1) This content reflects the current state of affairs at the time of publication. The reproduction of individual images, screenshots, embeds or video sequences serves to discuss the topic. 2) Individual contributions were created through the use of machine assistance and were carefully checked by the Mimikama editorial team before publication. ( Reason )