跳到主体内容

Gugi Banking Trojan Outsmarts New Android 6 Security

2016年9月6日

Kaspersky Lab experts have discovered a modification of the Gugi banking trojan that can bypass new Android 6 security features designed to block phishing and ransomware attacks.

Kaspersky Lab experts have discovered a modification of the Gugi banking trojan that can bypass new Android 6 security features designed to block phishing and ransomware attacks.  The modified trojan forces users into giving it the right to overlay genuine apps, send and view SMS, make calls, and more.  It is spread through social engineering and its use by cybercriminals is growing rapidly: between April and early August, 2016, there was a ten-fold increase in its number of victims.

The Gugi Trojan’s aim is to steal users’ mobile banking credentials by overlaying their genuine banking apps with phishing apps, and to seize credit card details by overlaying the Google Play Store app.  In late 2015, Android OS version 6 was launched, with new security features designed specifically to block such attacks. Among other things, apps now need the user’s permission to overlay other apps, and to request approval for actions such as sending SMS and making calls the first time they want to access them.

Kaspersky Lab anti-malware experts have uncovered a modification of the Gugi Trojan that can successfully bypass these two new features.

Initial infection with the modified trojan takes place through social engineering, usually with a spam SMS that encourages users to click on a malicious link. Once installed on the device, the trojan sets about getting the access rights it needs. When ready, the malware displays the following sign on the user’s screen: “additional rights needed to work with graphics and windows”. There is only one button: “provide.”  

When the user clicks on this, they are presented with a screen asking them to authorise app overlay. After receiving permission, the trojan will block the device screen with a message asking for ‘Trojan Device Administrator’ rights, and then ask for permission to send and view SMS and to make calls. 

If the trojan does not receive all the permissions it needs, it will completely block the infected device.  If this happens, the user’s only option is to reboot the device in safe mode and try to uninstall the trojan, an activity that is made harder if the trojan has already gained ‘Trojan Device Administrator’ rights.

Aside from these security workarounds and a few other features, Gugi is a typical banking trojan: stealing financial credentials, SMS and contacts, making USSD requests and sending SMS as directed by the command server.  To date, 93% of users attacked by the Gugi Trojan are based in Russia, but its number of victims is on the rise. In the first half of August 2016 there were ten times as many victims as in April 2016.

“Cybersecurity is a never-ending race. OS systems such as Android are continuously updating their security features to make life harder for cybercriminals and safer for customers; cybercriminalsare relentless in their attempts to find ways around this; and the security industry is equally busy making sure they don’t succeed. The discovery of the modified Gugi Trojan is a good example of this.  In exposing the threat, we can neutralize it, and help to keep people, their devices and their data safe,” said Roman Unucheck, Senior Malware Analyst, Kaspersky Lab.

Kaspersky Lab advises Android users to take the following steps to protect themselves against the Gugi Trojan and other malware threats:

  • Don’t automatically agree to hand over rights and permissions when an app asks you to do so – think about what is being asked for, and why you are being asked for it.
  • Install an antimalware solution on all devices and keep OS software up-to-date.
  • Avoid clicking on links in messages from people you don’t know, or in unexpected messages from people you do.
  • Exercise caution at all times when visiting websites: if something looks even slightly suspicious, it probably is.

    The Trojan-Banker.AndroidOS.Gugi family has been known about since December 2015, with the modification Trojan-Banker.AndroidOS.Gugi.c first discovered in June 2016. Kaspersky Lab products detect all modifications of the Gugi Trojan malware family.

To read more about how the Gugi Trojan bypasses elements of Android 6 security, read the blog on Securelist.com.

Gugi Banking Trojan Outsmarts New Android 6 Security

Kaspersky Lab experts have discovered a modification of the Gugi banking trojan that can bypass new Android 6 security features designed to block phishing and ransomware attacks.
Kaspersky logo

关于卡巴斯基

卡巴斯基是一家成立于1997年的全球网络安全和数字隐私公司。卡巴斯基不断将深度威胁情报和安全技术转化成创新的安全解决方案和服务,为全球的企业、关键基础设施、政府和消费者提供安全保护。公司提供全面的安全产品组合,包括领先的端点保护解决方案以及多种针对性的安全解决方案和服务,以及用于应对复杂和不断变化的数字威胁的网络免疫解决方案。全球有超过4亿用户使用卡巴斯基技术保护自己,我们还帮助全球200,000家企业客户保护最重要的东西。要了解更多详情,请访问www.kaspersky.com.cn.

相关文章 企业新闻