Skip to main content Skip to main navigation
Skip to access and inclusion page Skip to search input

SMS: the new malware battleground

11:33am May 02 2019

The latest malware virus trickling into Australia, dubbed "Gustuff", is being spread through Android smartphones. (Getty)


If your smartphone asks you to do something you don’t expect, the advice from anyone in cyber security will be crystal clear: don’t do it.

Whether it’s an unexpected text message inviting you to look at a photo album, or a pop-up appearing out of the blue asking you to install a new version of software, chances are, it’s criminal.

While it seems common sense, sometimes it’s tough to tell the difference between what’s real or not. That’s especially true of the latest round of malicious software – dubbed “Gustuff” by cyber security vendors – which is trickling into Australia, showing how criminals around the world continue to evolve the way they target unsuspecting victims of fraud.   

This new malware is a little unusual in that it is being spread through malicious SMS messages targeting Android smartphone users, mainly in Australia.

We haven't seen a lot of mobile phone malware before but, as history has shown, fraudsters always follow the money.  As we rely more and more on our phones for our banking, they become more attractive targets for fraudsters.

Although media attention on the Gustuff virus has picked up only in the past few weeks, our teams have been working closely with other banks, law enforcement agencies and tech vendors since spotting the first couple of cases in November to track its evolution and work on ways to fight this new threat and keep our customers safe.

The good news is the campaign doesn't seem to be growing at a fast pace. According to the most recent Cisco Talos intelligence, while the malicious operators may be aggressively trying to spread the malware, it “doesn't seem to result in the same number of new infections”.

The two most common ways Gustuff has been spread so far is by sending a link to mobile phone users by SMS, as well as through “malvertising” where a user unsuspectingly clicks on a malicious advertisement, often on a video streaming website.

By clicking, the user successfully loads their intended content, but in the background their phone may become infected. This enables the criminals to gain control of the device to harvest financial passwords and make fraudulent transactions.

Through collaboration initiatives, the bank’s fraud detection intelligence is working to protect customers from the criminals behind Gustuff. But, as always, the best form of defence is prevention: Don’t click on any links or pop ups that seem to come out of the blue.

This latest malware illustrates the migration of fraud to online channels. The most recent statistics from the Australian Payments Network shows that “card-not-present” fraud accounted for 85 per cent of all fraud in Australia in the year to 30 June 2018, while counterfeit and skimming dropped almost 46 per cent. And although total card fraud did increase 4.8 per cent during the year, it grew at a slightly slower rate than transactions made on Australian cards, which rose 5.1 per cent to a total of more than $767 billion.

Despite the increase, Westpac’s fraud losses as a percentage of turnover are falling, due to investment in our systems coupled with an overall better understanding of our customers’ behaviour enabling us to spot what’s abnormal and put a stop to it.

So, while our teams are getting better at detecting and blocking fraud on behalf of our customers, criminals will always evolve their modus operandi and can’t be eliminated altogether, so be aware of the dangers of phishing and malware, stay vigilant for anything unusual, and never share your PIN, passwords or SMS Protect codes with anyone.

Westpac's Group Chief Information Security Officer, Richard Johnson joined the bank in 2000. In this role, and his previous position as Head of Technical Security Services for the Group, he has led the information security strategy, delivery and governance. Prior to joining the Westpac Group, Richard held roles as Head of Technology Audit at Woolworths Limited, Technology Audit Manager at BT Financial Group, and in Computer Risk Management at Arthur Andersen. In addition to his academic credentials, Richard has a number of professional security qualifications including CISA, CISM, CISSP, CRISC, SCF, and ACP.

Browse topics