Android Malware Targets Users of 32 Crypto Apps, Including Coinbase, BitPay

A new strain of Trojan malware for Android phones is targeting global users of top crypto apps such as Coinbase, BitPay and Bitcoin Wallet, as well as banks including JPMorgan, Wells Fargo, and Bank of America.

The malware is described as being designed for mass infection and is spread by SMS messages with links to load malicious Android package kit files.

The malware's creators have reportedly created "Automatic Transfer Systems" that aim to expedite and scale the thefts by triggering autofills of payment fields for legitimate Android apps to maliciously reroute transfers to the hackers.

The app is purported to issue a host of "Web fakes" that mimic legitimate apps to phish for sensitive data from users - specifically targeting customers of as many as 32 different crypto apps.

Push notifications using legitimate icons are a further device the malware uses to automate downloads of fake apps and trigger transaction autofills.

Group IB reportedly identified 27 fake crypto and banking apps specific to the United States, 16 for Poland, 10 for Australia, nine for Germany and nine for India.

The malware also targets payment systems and messenger services such as PayPal, Revolut, Western Union, eBay, Walmart, Skype and WhatsApp.

"Using the Accessibility Service mechanism means that the Trojan is able to bypass changes to Google's security policy introduced in new versions of the Android OS. Moreover, Gustuff knows how to turn off Google Protect; according to the Trojan's developer, this feature works in 70 percent of cases."

Roid users are advised by Group IB to download apps strictly from the Google Play store and pay attention to the extensions of downloaded files.

As reported in February, decentralized app MetaMask was recently pulled from Google Play after researchers detected malware impersonating the tool to steal crypto from users.