In the previous article, we described the mechanisms used by Trojan-Banker.AndroidOS.Gugi.c to bypass a number of new Android 6 security features. In this article, we review the entire Gugi mobile-banking Trojan family in more detail.
The use of WebSocket by Gugi
The mobile-banking Trojan family, Trojan-Banker.AndroidOS.Gugi is interesting due to its use of the WebSocket protocol to interact with its command-and-control servers. This protocol combines the advantages of HTTP with those of commonly used sockets: there is no need to open extra ports on a device, as all the communication goes through standard port 80. At the same time, real-time data exchange is possible.
It is worth noting that even though this technology is user-friendly, it is not that popular among attackers. Among all the mobile Trojans that utilize WebSocket technology, more than 90% are related to the Gugi family.
WebSocket Usage in Mobile SMS Trojans
We registered the first case of WebSocket technology use in mobile Trojans at the end of December 2013. It was Trojan-SMS.AndroidOS.FakeInst.fn. Judging by the code, the Trojan was created by the same malefactors who created the Trojan-Banker.AndroidOS.Gugi family.
During the initial registration, the FakeInst.fn Trojan uploads a large amount of device-related data to its server. The data includes the telephone number, the carrier information, IMEI, IMSI, etc.
From the server, the malware may receive a JSON file with the following commands (and data for the commands):
- SMS – send a text message with specified text to a specified number;
- intercept – enable or disable the interception of incoming SMS messages;
- adres – change a command-and-control server address;
- port – change a command-and-control server port;
- contacts – send a bulk SMS message with specified content to all the contact numbers listed on the infected device.
In addition, the Trojan steals all outgoing SMS messages.
In the middle of January 2014, just a couple of weeks after discovering FakeInst.fn, a new version of the Trojan appeared. The malware was no longer using WebSocket; instead the communication was performed with the help of the HTTP protocol (GET and POST requests). Among all the installation packages of the Trojan, we could discover only two (dating back to the middle of March 2014) that utilized WebSocket. Everything seemed to indicate that the attackers decided to drop the technology for a while. They started to use it again almost two years later, in the Gugi family.
From SMS Trojans to Mobile Banking Trojans
Two years after finding the first version of Trojan-SMS.AndroidOS.FakeInst.fn, which utilized WebSocket, a new Websocket-using Trojan appeared, Trojan-Banker.AndroidOS.Gugi.a.
There are multiple matches in the Gugi code (variable and method names) with the Trojan-SMS.AndroidOS.FakeInst.fn code. The major changes within Gugi were the addition of a phishing window to steal the device user’s credit-card data and the use of WebSocket. Within all the Gugi mobile-banking Trojan family installation packages detected by us, WebSocket technology is used to communicate with the command-and-control server. Thus, the attackers had switched from Trojan-SMS to Trojan-Banker.
Evolution of the Trojan-Banker.AndroidOS.Gugi
The evolution of the Gugi Trojan can be split into two stages:
The first stage started in the middle of December 2015. The word “Fanta” is used within the name of all versions of the Trojan related to this stage, for example, “Fanta v.1.0”.
On request from the command-and-control server, Gugi Trojan version 1.0 could perform the following actions:
- stop its operation;
- steal all the contacts from the device;
- steal all the SMS messages from the device;
- send an SMS message with specified text to a specified number;
- send a USSD request;
- steal SMS messages from a specified group/conversation.
In late December 2015, we spotted the next version of Gugi, “Fanta v.1.1”. Its major difference from the previous version was that the code had a way of disabling the phishing window (we would like to remind you that Gugi can also be used as an SMS Trojan). Another new feature allowed contacts to be added to the infected device at the request of the server. This version was spread much more actively than the first one.
At the beginning of February 2016, we detected two new versions of Gugi, “Fanta v2.0” and “Fanta v2.1”. These versions had an increased focus on banking. First, they came with a new phishing window for stealing the username and password from the mobile banking software of one of the largest Russian banks. Secondly, the Trojan code introduced the list of phone numbers of two Russian banks. All incoming SMS messages from these numbers were not only sent to the malefactors’ server (like other SMS messages) but were hidden from the user.
These versions had a phishing window, shown either on request from the server or right after the smartphone had booted up. The window would not close until the user had entered their data.
Then, in the middle of March 2016, we found “Fanta v.2.2”. This became the most popular version of al, accounting for more than 50% of all of the installation packages related to the “Fanta” stage. Starting from this version, phishing windows were drawn over banking applications and Google Play.
Phishing window over Google Play Store
One more phishing window started to appear, right before the window for stealing credit-card data. This window read: “Link your credit card to Google Play Store and get 200 rubles for any apps!”
Additionally, starting from this version, the Trojan actively fights its removal. If the malware has Device Administrator rights, then its removal is possible only after disabling those rights. Therefore, whenever the Trojan does not have Device Administrator rights, it aggressively demands such permission, drawing its window over the device settings window.
In April 2016, we found the most recent “Fanta” version to date, “Fanta v.2.3”. That version had only one significant change: if the user disables the Device Administrator rights for the Trojan, then the malware changes the device password, effectively blocking the device.
All versions of “Fanta” are detected by the Kaspersky Lab products as Trojan-Banker.AndroidOS.Gugi.a.
The first file related to the second stage, “Lime”, was found a week before “Fanta v2.3” appeared, at the beginning of April 2016.
The installation package code for “Lime” seems to have been rewritten from the Fanta stage. The code, as well as the version names, had the word “Fanta” excluded and replaced with “Lime” in some lines. The same Trojan name, “Lime”, is seen in the administration panel through which the malefactors control this malware.
Trojan’s administration panel
Versions of the Trojan relating to the “Lime” stage do not change the device password when Device Administrator rights are disabled.
The first file discovered by us in April 2016 was version 1.1 and, judging by the code, was a test file. The next installation package related to the “Lime” stage was discovered in the middle of May 2016. It had the same version number, 1.1, but improved functionality.
The major change in version 1.1 of the “Lime” stage was that it showed new phishing windows. At that time, the Trojan could attack five banking apps of various Russian banks. Additionally, it had a new command to get the list of rules for processing incoming SMS messages. These rules define which messages should be hidden from the user and which messages should be replied to with specific messages.
Further, during the course of May 2016, we discovered files labelled 1.2 and 1.5 by the authors, even though the features of the files had not been changed.
Meanwhile, a new version of the Android OS, version 6.0, was released with security features that did not let the Trojan function properly. In June, we found a new version of the Trojan, 2.0, in which the malefactors had added support for Android 6. On Android 6 devices, the Trojan first requests permission to draw over other apps. Then, using the permission to its own advantage, it practically blocks the device, forcing the user to give Device Administrator rights to the malicious application as well as permission to read and send SMS messages and make calls.
Versions 3.0 and 3.1, which were found in July, have the same features as version 2.0 and utilize the same command-and-control server but different ports. Only one installation package for each version has been found by us. At the same time, version 2.0 continues to be actively spread.
All of the “Lime”-stage versions are detected by Kaspersky Lab products as Trojan-Banker.AndroidOS.Gugi.b and Trojan-Banker.AndroidOS.Gugi.c.
The Trojan is actively transmitted via SMS spam, with a link to phishing web pages that show a message indicating that the user has, supposedly, received an MMS picture.
Information about MMS message on phishing website
If the “show” button in the message is clicked, then the Trojan-Banker.AndroidOS.Gugi will be downloaded onto the device. It is highly likely that the name of the Trojan downloaded from such a websi фte will be similar to img09127639.jpg.apk.
As we have written in a previous post, we have encountered an explosive growth of Trojan-Banker.AndroidOS.Gugi attacks. August revealed 3 times as many users attacked by Gugi as in July, and almost 20 times as many as in June.
An amount of Kaspersky Lab mobile product users attacked by Trojan-Banker.AndroidOS.Gugi mobile-banking Trojan family
Today, the biggest number of attacks is performed by Lime version 2.0. All of the known active command-and-control servers of this Trojan are related to Lime versions 1.5 – 3.1. Not a single “Fanta” server known to us has been accessible since the middle of August 2016.
More than 93% of attacked users were located in Russia.
MD5 of Malicious Files Mentioned in Article