New Variant of the Gugi Banking Trojans Bypasses Android 6 Security

Experts from Kaspersky Labs discovered a new variant of the Gugi banking Trojan that can bypass the security measures of Android 6 that block phishing and ransomware attacks.

Gugi Becomes More Dangerous as It Bypasses the Android 6 Security Measures

The Gugi banking trojan has become more dangerous as Kaspersky Labs researches uncovered a new variant of the malware. The new Gugi Trojan now can bypass the Android 6 security measures that have been developed by Google to block phishing and ransomware attacks. The new version forces victims to give the program permission to overlay legitimate applications, send and view SMS messages, initiate phone calls, and other privileges. Android Marshmallow (version 6) features measures that require explicit permission for overlaying applications and sending SMS messages. The modified Gugi code bypasses these security features.

Initial infection with the malicious Trojan is through social engineering attacks, popularly carried out via spam messages (SMS or emails) that contain malicious links or attachments with Gugi. Upon successful installation, the malicious program attempts to access the needed permission set from the user. The user is shown a screen containing the following text “additional rights needed to work with graphics and windows” and the only option is to “provide” Gugi with the requested rights.

The application then presents another screen that asks the users to provide rights for app overlay. After the user accepts the permissions check, then Trojan blocks the device screen and continues with another privilege escalation request, this time for initiating calls and sending and viewing SMS messages.

The security issue is that if the malware does not receive all the requested permission, it will completely block the infected device with all the gained permissions gained so far. The only recovery option is to reboot the device in safe mode and uninstall Gugi. Unfortunately, that is made very hard if the Trojan has gained the “Trojan Device Administrator” rights.

This malware is used to steal financial credentials, SMS messages, and contacts. Gugi can make USSD requests and execute commands from remote malicious C&C servers. To date about 93% of all victims are located in Russia.

The experts from Kaspersky advise Android users to protect themselves from this threat by following good security measures:

  • Do not automatically agree to rights and permissions requests by untrusted applications
  • Install and use an effectively anti-malware product on all devices and always apply operating system and software updates
  • Do not click or follow links and attachments in unknown message
  • Stay alert about the latest threats

The victims of the Gugi Trojan have grown ten-fold between April and August 2016 making it one of the serious contemporary threats.

Was this content helpful?

Author : Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.


Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *