Gustuff¶
Gustuff was an Android banking trojan that pioneered Automated Transfer System (ATS) fraud through accessibility services before the technique became an industry standard. Built as an evolution of the AndyBot malware by a Russian-speaking actor known as "Bestoffer," it targeted 100+ banking apps and 32 cryptocurrency wallets across the US, Europe, and Australia. Gustuff's ATS implementation, which auto-filled transfer forms inside legitimate banking apps, predated the widespread adoption of this technique by families like Anatsa and Xenomorph by several years.
Overview¶
| Attribute | Details |
|---|---|
| First Seen | April 2018 |
| Last Seen | ~2020 |
| Status | Inactive |
| Type | Banking trojan, ATS fraud |
| Aliases | AndyBot (predecessor) |
| Attribution | "Bestoffer," Russian-speaking actor |
| Distribution | SMS with links to fake APKs |
Vendor Names¶
| Vendor | Name |
|---|---|
| Group-IB | Gustuff |
| Cisco Talos | Gustuff |
| SonicWall | AndroidGustuff |
| ESET | Android/Spy.Banker |
| Kaspersky | Trojan-Banker.AndroidOS.Gustuff |
| Trend Micro | AndroidOS_Gustuff |
| Microsoft | Trojan:AndroidOS/Banker |
Origin and Lineage¶
Gustuff first appeared on Russian-speaking underground forums in April 2018 as a subscription-based service priced at $800/month. Its author, operating under the handle "Bestoffer," marketed it as an upgraded version of AndyBot, a banking trojan that had been targeting Android devices since November 2017. Where AndyBot relied on conventional web fakes to steal credentials, Gustuff introduced the ATS engine that could script transfers directly inside the real banking app's UI.
Group-IB's Threat Intelligence team published the first detailed analysis in March 2019, highlighting the scale of Gustuff's target list and the novelty of its ATS approach. At the time, most Android banking trojans relied on overlay attacks to capture credentials, then required manual operator action to perform transfers from separate devices. Gustuff automated the entire chain on the victim's device.
The malware saw active development through 2019, with Cisco Talos documenting a significant v2 update in October 2019 that rearchitected command handling, removed hardcoded target lists, and introduced JavaScript-based scripting. Activity declined through 2020 as newer families adopted and refined similar techniques.
Distribution¶
Gustuff relied on SMS-based distribution, sending messages containing links to malicious APK files. The malware harvested contact lists from infected devices to propagate further, creating a self-spreading mechanism.
| Campaign | Vector | Disguise | Source |
|---|---|---|---|
| Early 2019 | SMS | Generic banking/utility apps | Group-IB |
| April 2019 | SMS | Australian financial service apps | Cisco Talos |
| June 2019 | SMS, social media | Instagram, social media apps | SonicWall |
| October 2019 | SMS | Fake app updates | Cisco Talos |
SonicWall documented a campaign where Gustuff disguised itself as Instagram and other social media apps, using icons identical to the legitimate applications to deceive users during installation.
Capabilities¶
Version 1 (2018-2019)¶
| Capability | Implementation |
|---|---|
| ATS fraud | Accessibility service auto-fills transfer forms in banking apps |
| Overlay attacks | Web fakes loaded over legitimate apps to steal credentials |
| SMS interception | Read, send, hide SMS for OTP theft |
| Contact harvesting | Exfiltrate contacts for SMS-based propagation |
| Push notifications | Display fake notifications to lure users into targeted apps |
| Crypto wallet targeting | Overlays for 32 cryptocurrency apps including Coinbase, BitPay, Bitcoin Wallet |
| Anti-AV | Maintained list of AV apps to block/disable |
| Google Protect bypass | Disable Google Play Protect on infected devices |
Version 2 (October 2019)¶
Cisco Talos's analysis of the v2 update revealed substantial architectural changes:
| Capability | Implementation |
|---|---|
| JavaScript scripting engine | WebChromeClient with JS interface for dynamic command execution |
| Dynamic target loading | Target app list loaded from C2 during activation rather than hardcoded |
| Dynamic WebView injection | C2 can push WebView overlays for arbitrary domains on demand |
| Command tracking | Each C2 command assigned unique ID for execution state reporting |
| Reduced static footprint | No hardcoded package names, lowering detection by static scanners |
| AV list dynamic loading | Anti-AV target list fetched during activation cycle |
The JavaScript scripting engine was a notable advancement. By injecting a JavaScript interface into a WebView with filesystem access, operators could execute arbitrary automation scripts, combining the malware's internal commands with the flexibility of JavaScript.
ATS Implementation¶
Gustuff's ATS engine was its defining feature. The process:
- Victim opens legitimate banking app and authenticates
- Malware detects the active session via accessibility service monitoring
- Uses
ACTION_SET_TEXT(Android 5.0+) or clipboard injection (older versions) to fill transfer fields - Navigates the banking app's UI through accessibility gestures
- Submits the transfer using C2-provided recipient and amount data
- Captures and uses SMS OTP codes to authorize the transaction
This on-device approach bypassed "new device" fraud checks, since the transfer originated from the victim's enrolled device within an authenticated session.
Technical Details¶
C2 Communication¶
The C2 protocol used HTTP-based polling at predetermined intervals. The bot registered with the C2 on first launch, sending device fingerprint data. The C2 responded to polls with either "ok" (no pending commands) or a command payload.
Key C2 commands:
| Command | Action |
|---|---|
checkApps |
Receive target application list during activation |
interactive |
Use accessibility API to interact with banking app UI for ATS |
script |
Execute JavaScript via WebChromeClient interface |
upload |
Exfiltrate files from device |
sms |
Send SMS from victim device |
push |
Display push notification to lure user |
openApp |
Launch specified app to trigger overlay or ATS |
In v2, commands related to SOCKS proxy functionality were removed entirely, indicating a strategic shift toward ATS-only fraud rather than proxying device traffic.
Anti-Analysis¶
| Technique | Details |
|---|---|
| Heavy obfuscation | Packed and obfuscated to evade static analysis |
| Anti-VM checks | Detects emulator environments through hardware property checks |
| Dynamic configuration | Target lists, AV lists, and injects fetched from C2 rather than bundled |
| Google Play Protect suppression | Programmatically disables Play Protect on victim device |
Target Regions and Financial Institutions¶
Gustuff's target list was extensive, covering major financial institutions and cryptocurrency services globally.
| Region | Country | Banking Apps |
|---|---|---|
| North America | United States | 27 apps (Bank of America, Wells Fargo, Capital One, J.P. Morgan, TD Bank, PNC Bank) |
| Europe | Poland | 16 apps |
| Europe | Germany | 9 apps |
| Asia-Pacific | Australia | 10 apps |
| Asia-Pacific | India | 8 apps |
Beyond banking, Gustuff targeted:
- 32 cryptocurrency wallets: Coinbase, BitPay, Cryptopay, Bitcoin Wallet
- Payment systems: PayPal, Western Union, Revolut
- Marketplaces: eBay, Walmart
- Messaging apps: WhatsApp, Skype
Cisco Talos reported that the Australian-focused campaign also attempted to target the Australian Government's myGov portal, expanding beyond pure financial theft to credential harvesting for government services.
Notable Campaigns¶
March 2019: Group-IB published their initial disclosure, documenting Gustuff's capability to target 100+ banking apps and 32 cryptocurrency wallets. The analysis highlighted the ATS mechanism as a significant evolution beyond traditional overlay-based credential theft.
April 2019: Cisco Talos identified an active campaign specifically targeting Australian financial institutions and digital currency wallets. The campaign also targeted the Australian Government's myGov portal, marking an expansion into government credential theft.
June 2019: SonicWall documented Gustuff spreading under the disguise of social media apps, including samples mimicking Instagram with pixel-identical app icons.
October 2019: Cisco Talos published their v2 analysis, detailing the JavaScript scripting engine, dynamic target loading, and command execution tracking system that represented a substantial architectural overhaul from the original version.