Gugi Banking Trojan Bypasses Android 6 Security Via Social Engineering
By Paul Liu
Monday, June 26th, 2017

A rather new banking trojan has managed to defeat the anti-phishing and anti-ransomware features introduced in Android 6. The Gugi trojan, which was discovered in late 2015 by the security firm Kaspersky, tricks users into giving admin privileges to it via social engineering. As of now, the trojan is most active in Russia with 93 percent of its victims being based in the country. However, it is also rapidly spreading all over the world considering that there were 10 times as many Gugi infections in the first half of August’ 16 as compared to the whole month of April’ 16.
During the last few years, a number of banking trojans and malwares have managed to sidestep security features of Android. These rogue apps not only managed to gain admin privileges, they also overlaid Google Play and banking apps with fake ones to steal financial information. Google unveiled version 6 of Android in late 2015 with a number of built-in security features precisely to address these issues. The new version of Android forced apps to gain user permission before overlaying upon other apps plus it also required user consent before accessing features like making calls and sending messages.
Researchers working at Kaspersky discovered that the latest version of Gugi was able to bypass both these security features. The trojan arrives on a device via a simple message and encourages the user to click on the link contained within it. The malicious link not only installs the trojan on the device, it also initiates seemingly endless process of asking more and more permissions. For instance, the first message simply says that the app requires additional rights to work with graphics and windows and encourages the user to provide them by clicking on the “Provide” button. Once the user grants this permission, the app asks for the permission to overlay upon other apps. After this, the app asks for admin privileges and then for the rights to send messages and make calls.
If at any point, the app does not get the permission it needs, it simply blocks the infected device. If this happens, users can do nothing but to reboot the device. At this stage, it is also possible to remove the app by rebooting the device in the safe mode (unless admin privileges have already been granted to the app). Once the app is installed on the device, it steals credit card information by overlaying upon Google Play app as well as banking credentials by overlaying genuine banking apps; makes USSD requests as well as sends SMS’ and makes calls as per the instructions given the remote command server.
Kaspersky recommends not giving admin or overlay rights to suspicious apps to remain safe from trojans such as Gugi. The company also asks users not to click on suspicious links and install a good anti-malware solution to keep their personal and financial information secure. The emergence of Gugi clearly shows that even the best security features of Android can be bypassed by some ingenious social engineering and carelessness of the users.
June 26, 2017