Skip to content

S0406 Gustuff

Gustuff is mobile malware designed to steal users’ banking and virtual currency credentials.1

Item Value
ID S0406
Associated Names
Version 1.0
Created 03 September 2019
Last Modified 14 October 2019
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
mobile T1432 Access Contact List Gustuff can collect the contact list.1
mobile T1438 Alternate Network Mediums Gustuff can use SMS for command and control from a defined admin phone number.1
mobile T1418 Application Discovery Gustuff checks for antivirus software contained in a predefined list.1
mobile T1412 Capture SMS Messages Gustuff can intercept two-factor authentication codes transmitted via SMS.1
mobile T1533 Data from Local System Gustuff can capture files and photos from the compromised device.1
mobile T1476 Deliver Malicious App via Other Means Gustuff was distributed via SMS phishing messages to numbers exfiltrated from compromised devices’ contact lists. The phishing SMS messages are sent from the compromised device to the target device.1
mobile T1417 Input Capture Gustuff abuses accessibility features to intercept all interactions between a user and the device.1
mobile T1516 Input Injection Gustuff injects the global action GLOBAL_ACTION_BACK to mimic pressing the back button to close the application if a call to an open antivirus application is detected.1
mobile T1411 Input Prompt Gustuff uses WebView overlays to prompt the user for their device unlock code, as well as banking and cryptocurrency application credentials. Gustuff can also send push notifications pretending to be from a bank, triggering a phishing overlay. 12
mobile T1406 Obfuscated Files or Information Gustuff code is both obfuscated and packed with an FTT packer. Command information is obfuscated using a custom base85-based encoding.1
mobile T1437 Standard Application Layer Protocol Gustuff communicates with the command and control server using HTTP requests.1
mobile T1508 Suppress Application Icon Gustuff hides its icon after installation.2
mobile T1426 System Information Discovery Gustuff gathers information about the device, including the default SMS application, if SafetyNet is enabled, the battery level, the operating system version, and if the malware has elevated permissions.1
mobile T1422 System Network Configuration Discovery Gustuff gathers the device IMEI to send to the command and control server.1


Back to top