Gugi Banking Trojan Evolves to Bypass Android OS 6 Security

Written by

A modification of the Gugi banking trojan has been uncovered that can thwart the Android OS 6 security features designed to block phishing and ransomware attacks.

The Kaspersky Lab anti-malware experts who discovered this fresh Gugi iteration said that the number of victims is on the rise. In the first half of August 2016, there were 10 times as many victims as in April 2016.

The Gugi trojan’s aim is to steal users’ mobile banking credentials and credit-card details by overlaying their genuine banking apps with phishing screens. “Gugi is a typical banking Trojan: stealing financial credentials, SMS and contacts, making USSD requests and sending SMS as directed by the command server,” said the researchers, in an analysis.

What’s not typical is its security evasion processes. In late 2015, Android OS version 6 was launched with new security features designed specifically to block such attacks. Among other things, apps now need the user’s permission to overlay other apps, and they’re required to request approval for actions such as sending SMS and making calls, the first time they want to access them. Gugi however has been modified to successfully bypass these two features.

Initial infection with the modified trojan takes place through social engineering, usually with a spam SMS that encourages users to click on a malicious link. Once installed on the device, the trojan sets about getting the access rights it needs. When it’s ready, the malware displays a message on the user’s screen: “additional rights needed to work with graphics and windows.” There is only one button to click: It says “provide.”

When the user clicks, a screen pops up asking them to authorize app overlay. After receiving permission, the Trojan will block the device screen with a message asking for “Trojan Device Administrator” rights, and then it asks for permission to send and view SMS and to make calls.

Savvy users may balk at blithely clicking through all of those screens, but there’s a price to pay: If the Trojan does not receive all the permissions it needs, it will completely block the infected device. If this happens, the user’s only option is to reboot the device in safe mode and try to uninstall the trojan, an activity that is made harder if the trojan previously gained ‘Trojan Device Administrator’ rights.

To date, 93% of users attacked by the Gugi Trojan are based in Russia, but that could change quickly.

“Cybersecurity is a never-ending race,” said Roman Unucheck, senior malware analyst, Kaspersky Lab. “OS such as Android are continuously updating their security features to make life harder for cybercriminals and safer for customers. Cybercriminals are relentless in their attempts to find ways around this, and the security industry is equally busy making sure they don’t succeed. The discovery of the modified Gugi trojan is a good example of this. In exposing the threat, we can neutralize it, and help to keep people, their devices and their data safe.”

As far as avoiding the issue altogether, Elday Tuvey, co-founder and CEO of Wandera, said that the human factor remains the main reason why such attacks are highly successful, as users blindly trust applications distributed through social media, SMS or ads that are actually unofficial and often malicious.

“Banking trojans like Gugi have a higher success rate in countries where users are keen to use unofficial apps due to the lack of availability on regional official app stores, or other restrictions,” he noted via email. “Enterprises should not avoid using Android based devices…users should minimize their exposure surface to threats by keeping default security features enabled at all times, and be less naive when applications request an excessive amount of permission.

Users should also install an antimalware solution on all devices and keep OS software up-to-date.

“It is important to outline that security vendors progressively improve their Android security solutions to detect and remediate from such threats, therefore adding another layer of security on top of the native OS,” Tuvey added.

The Trojan-Banker.AndroidOS.Gugi family has been known about since December 2015, with the new modification (Trojan-Banker.AndroidOS.Gugi.c) first discovered in June 2016.

Photo © Nicescene

What’s hot on Infosecurity Magazine?