Kaspersky Lab, a tech security group operating in 200 countries including Nigeria, says it has uncovered a version of the Gugi banking Trojan that can bypass Android OS 6 security features designed to block attacks.
“The modified Trojan forces users into giving it the right to overlay genuine apps, send and view SMS, make calls and more. The Gugi Trojan’s aim is to steal users’ mobile banking credentials by overlaying their genuine banking apps with phishing apps and to seize credit card details by overlaying the Google Play Store app,” Kaspersky Lab in a global alert to Android users.
[quote font=”georgia” font_size=”22″ font_style=”italic” align=”left” arrow=”yes”]As Kaspersky Lab reveals, “Gugi is a typical banking Trojan: stealing financial credentials, SMS and contacts, making USSD requests and sending SMS as directed by the command server,” and that in the first half of August 2016, there were ten times as many victims as in April 2016.[/quote]In late 2015, Android OS version 6 was launched with new security features designed specifically to block such attacks. Among other things, apps now need the user’s permission to overlay other apps, and to request approval for actions such as sending SMS and making calls the first time they want to access them.
However, Kaspersky Lab says its anti-malware experts have uncovered a modification of the Gugi Trojan that can successfully bypass these two new features.
According to the tech security firm, the initial infection with the modified Trojan takes place through social engineering, usually with a spam SMS that encourages users to click on a malicious link. Once installed on the device, the Trojan sets about getting the access rights it needs.
When ready, the malware displays the following sign on the user’s screen: “additional rights needed to work with graphics and windows.” There is only one button: “provide.” When the user clicks on this, they are presented with a screen asking them to authorize app overlay. After receiving permission, the Trojan will block the device screen with a message asking for ‘Trojan Device Administrator’ rights, and then it asks for permission to send and view SMS and to make calls, Kaspersky Lab says.
If the Trojan does not receive all the permissions it needs, it will completely block the infected device. If this happens, the user’s only option is to reboot the device in safe mode and try to uninstall the Trojan, an activity that is made harder if the Trojan previously gained ‘Trojan Device Administrator’ rights.
As Kaspersky Lab reveals, “Gugi is a typical banking Trojan: stealing financial credentials, SMS and contacts, making USSD requests and sending SMS as directed by the command server,” and that in the first half of August 2016, there were ten times as many victims as in April 2016.
Kaspersky Lab thus advises Android users take the following steps to protect themselves against the Gugi Trojan and other malware threats:
- Don’t automatically agree to give rights and permissions when an app asks you to do so – think about what is being asked and why you are being asked for it.
- Install an antimalware solution on all devices and keep OS software up-to-date.
- Avoid clicking on links in messages from people you don’t know or in unexpected messages from people you do.
- Exercise caution at all times when visiting websites, especially if something looks even slightly suspicious.