The experts at Kaspersky have discovered a modified version of the Gugi banking trojan. The company says that this version of the malware can bypass Android Marshmallow’s features that are designed to block phishing and ransomware attacks. It is noted that the modified trojan forces users to giving it permission to overlay genuine apps, send and view SMS, make calls, and so forth.
The modified trojan first infects devices via social engineering, usually via a spam SMS that encourages users to click on a malicious link. Once it is installed on a device, the trojan displays a prompt which reads “additional rights needed to work with graphics and windows,” and gives the user no other buttons except the ‘Provide’ button. This is then followed by another screen that asks the user to authorise app overlay. It will then ask for “Trojan Device Administrator” rights, followed by permission to send and view SMS’ and make calls.
If the trojan does not receive the necessary permission, it will completely block the infected device. If this happens, users are left with no other option but to reboot the device in safe mode and try and uninstall the trojan. However, it is noted that this would be much harder if the trojan has ‘trojan device administrator’ rights. Gugi itself is a banking trojan and is designed to steal financial credentials, SMS and contacts, making USSD requests and sending SMS’ as directed by the command server.
When Android Marshmallow was launched last year, it came with improvements to app permissions. Amongst other things, apps would now need permission to overlay other apps and request approval for actions like sending SMS’ or making calls the first time. The latest version of Google's mobile operating system, Android Nougat, will check for malware when it boots up.