A new banking Trojan – Gugi – has managed to bypass the security permission feature introduced by Google in the Android 6.0 Marshmallow operating system to steal banking credentials of users. The Trojan is mostly spread by SMS spam with an aim to overlay banking apps with phishing windows in order to steal user credentials for mobile banking.
Kaspersky Lab, which discovered the malware (Trojan-Banker.AndroidOS.Gugi.c) that has the potential of affecting any Android device, says the Trojan seeks to steal these details by creating an overlay screen on authentic mobile-banking apps and the Google Play Store app. It tricks users by installing a message that reads "additional rights needed to work with graphics and windows" and the user is only given one option which says "provide." This forces users to grant the permission.
The Android 6.0 Marhsmallow had introduced a feature called app permissions that would require any app to request permission to superimpose their windows/views over other apps.
However, the latest malware can now bypass this feature and perform steps in which it receives the user's information and in case it doesn't get what it needs it will end up blocking the device. In case this happens the only option is to reboot the device in safe mode and uninstall the Trojan.
At the moment the Gugi Trojan has been mainly spotted in Russia with 93% of known attacked users coming from the country. However, a Kaspersky chart shows it as a fast rising Trojan. The first half of August 2016 had ten times more victims as compared to April 2016.