Editorial & Advertiser Disclosure Global Banking And Finance Review is an independent publisher which offers News, information, Analysis, Opinion, Press Releases, Reviews, Research reports covering various economies, industries, products, services and companies. The content available on globalbankingandfinance.com is sourced by a mixture of different methods which is not limited to content produced and supplied by various staff writers, journalists, freelancers, individuals, organizations, companies, PR agencies Sponsored Posts etc. The information available on this website is purely for educational and informational purposes only. We cannot guarantee the accuracy or applicability of any of the information provided at globalbankingandfinance.com with respect to your individual or personal circumstances. Please seek professional advice from a qualified professional before making any financial decisions. Globalbankingandfinance.com also links to various third party websites and we cannot guarantee the accuracy or applicability of the information provided by third party websites. Links from various articles on our site to third party websites are a mixture of non-sponsored links and sponsored links. Only a very small fraction of the links which point to external websites are affiliate links. Some of the links which you may click on our website may link to various products and services from our partners who may compensate us if you buy a service or product or fill a form or install an app. This will not incur additional cost to you. A very few articles on our website are sponsored posts or paid advertorials. These are marked as sponsored posts at the bottom of each post. For avoidance of any doubts and to make it easier for you to differentiate sponsored or non-sponsored articles or links, you may consider all articles on our site or all links to external websites as sponsored . Please note that some of the services or products which we talk about carry a high level of risk and may not be suitable for everyone. These may be complex services or products and we request the readers to consider this purely from an educational standpoint. The information provided on this website is general in nature. Global Banking & Finance Review expressly disclaims any liability without any limitation which may arise directly or indirectly from the use of such information.

GUGI BANKING TROJAN OUTSMARTS NEW ANDROID 6 SECURITY

Kaspersky Lab experts have discovered a modification of the Gugi banking trojan that can bypass new Android 6 security features designed to block phishing and ransomware attacks. The modified trojan forces users into giving it the right to overlay genuine apps, send and view SMS, make calls, and more.  It is spread through social engineering and its use by cybercriminals is growing rapidly. Between April and early August, 2016, there was a ten-fold increase in its number of victims.

The Gugi Trojan’s aim is to steal users’ mobile banking credentials by overlaying their genuine banking apps with phishing apps and to seize credit card details by overlaying the Google Play Store app.  In late 2015, Android OS version 6 was launched, with new security features designed specifically to block such attacks. Among other things, apps now need the user’s permission to overlay other apps and to request approval for actions such as sending SMS messages and making calls the first time they want to access them.

Kaspersky Lab anti-malware experts have uncovered a modification of the Gugi Trojan that can successfully bypass these two new features.

Initial infection with the modified trojan takes place through social engineering, usually with a spam SMS that encourages users to click on a malicious link. Once installed on the device, the trojan sets about getting the access rights it needs. When ready, the malware displays the following sign on the user’s screen: “additional rights needed to work with graphics and windows”. There is only one button: “provide”.

When the user clicks on this, they are presented with a screen asking them to authorise app overlay. After receiving permission, the trojan will block the device screen with a message asking for ‘Trojan Device Administrator’ rights, and then ask for permission to send and view SMS and to make calls.

If the trojan does not receive all the permissions it needs, it will completely block the infected device. If this happens, the user’s only option is to reboot the device in safe mode and try to uninstall the trojan, an activity that is made harder if the trojan has already gained ‘Trojan Device Administrator’ rights.

Aside from these security workarounds and a few other features, Gugi is a typical banking trojan: stealing financial credentials, SMS and contacts, making USSD requests and sending SMS as directed by the command server.  To date, 93 per cent of users attacked by the Gugi Trojan are based in Russia, but its number of victims is on the rise. In the first half of August 2016, there were ten times as many victims as in April 2016.

“Cybersecurity is a never-ending race. OS systems such as Android are continuously updating their security features to make life harder for cybercriminals and safer for customers. Cybercriminals are relentless in their attempts to find ways around this, and the security industry is equally busy making sure they don’t succeed. The discovery of the modified Gugi Trojan is a good example of this.  In exposing the threat, we can neutralise it, and help to keep people, their devices and their data safe,” said Roman Unucheck, Senior Malware Analyst, Kaspersky Lab.

Kaspersky Lab advises Android users to take the following steps to protect themselves against the Gugi Trojan and other malware threats:

  • Don’t automatically agree to hand over rights and permissions when an app asks you to do so – think about what is being asked for and why you are being asked for it.
  • Install an anti-malware solution on all devices and keep OS software up-to-date.
  • Avoid clicking on links in messages from people you don’t know, or in unexpected messages from people you do.
  • Exercise caution at all times when visiting websites: if something looks even slightly suspicious, it probably is.

The Trojan-Banker.AndroidOS.Gugi family has been known about since December 2015, with the modification Trojan-Banker.AndroidOS.Gugi.c first discovered in June 2016. Kaspersky Lab products detect all modifications of the GugiTrojan malware family.

To read more about how the Gugi Trojan bypasses elements of Android 6 security, read the blog on Securelist.com.