Banking Trojan targets users of Australian government services


Banking Trojan targets users of Australian government services

Recent statistics from Kaspersky Botnet Tracking system showed that Trojan-Banker.AndroidOS.Gustuff is actively spreading in Australia adopting unusual techniques. We have detected an SMS campaign at the Australian user with messages containing texts like ‘Jassica shared an album with you hxxp:// on Instagram Shared’. Once opened on a device with Australian IP the URL will redirect a user to the malware site and download a sample of Trojan-Banker.AndroidOS.Gustuff.

“Fake web page”

Besides common technique of monitoring installed applications and overlaying them with a WebView, Trojan-Banker.AndroidOS.Gustuff now checks for URLs opened in browser and is able to open a WebView with a fake site overlaying the original web page. This method is currently used by Gustuff to steal users’ credentials for Australian Government service “MyGov” ( and National Australian Bank Internet Banking service (

An extended list of banking applications, payment applications, crypto-wallets is also targeted by the Trojan attempting to steal users’ credentials. This could be done by either downloading a phishing web page from the C&C or by loading a web page from the local archive (see “Credentials stealing” tab in the file attached) on the device saved earlier by Gustuff and overlaying the original app interface.

For Further information visit