New remote access Trojan called Ghimob has been targeting financial Android apps from banks, fintechs, exchanges and cryptocurrencies in Brazil, Paraguay, Peru, Portugal, Germany, Angola and Mozambique, security researchers at Kaspersky have discovered. This Trojan is said to have been deployed by a Brazil-based threat group Guildma – an actor part of the Tetrade family of banking Trojans – that was behind the recent Astaroth Windows malware as well. Once the Trojan is deployed on an Android smartphone, the hacker can access the infected device remotely, completing fraudulent transaction with the victim’s smartphone without consent.
Kaspersky discovered the Ghimob Trojan (specifically, the Trojan-Banker.AndroidOS.Ghimob family of Trojan) while investigating another malware campaign. The Trojan is spread via email that pretends to be from a creditor and provides a link where the recipient could view more information, while
the app itself pretends to be Google Defender, Google Docs, WhatsApp Updater, etc. If the recipient falls for the scam and clicks on the link in an Android-based browser, the Ghimob APK installer gets downloaded on their smartphones.
Once infection is completed, the malware proceeds to send a message to the hacker. This includes the phone model, whether it has screen lock activated, and a list of all installed apps that the malware has as a target including version numbers. Kaspersky says Ghimob spies on 153 mobile apps, mainly from banks, fintechs, cryptocurrencies and exchanges. The report says that this includes about 112 apps from institutions in Brazil, 13 cryptocurrency apps from different countries, nine international payment systems, five bank apps in Germany, three bank apps in Portugal, two apps in Peru, two in Paraguay, and one app each from Angola and Mozambique as well.
With Ghimob, the hacker can access the infected device remotely, completing the fraudulent transaction with the victim’s smartphone, so as to avoid machine identification, security measures implemented by financial institutions and all their antifraud behavioural systems. The hacker is also able to bypass screen lock, by recording it and later replaying it to unlock the device. “When the cybercriminal is ready to perform the transaction, they can insert a black screen as an overlay or open some website in full screen, so while the user looks at that screen, the criminal performs the transaction in the background by using the financial app running on the victim’s smartphone that the user has opened or logged in to,” researchers at Kaspersky explain.
Ghimob tries to hide its presence by hiding the icon from the app drawer. The malware also blocks the user from uninstalling it, restarting or shutting down the phone. Kaspersky cautions, “Ghimob is the first Brazilian mobile banking trojan ready to expand and target financial institutions and their customers living in other countries. Our telemetry findings have confirmed victims in Brazil, but as we saw, the trojan is well prepared to steal credentials from banks, fintechs, exchanges, crypto-exchanges and credit cards from financial institutions operating in many countries, so it will naturally be an international expansion.”
Kaspersky warns financial institutions to be vary of Ghimob and improve their authentication processes, boost their anti-fraud technology and threat intel data.
Should the government explain why Chinese apps were banned? We discussed this on Orbital, our weekly technology podcast, which you can subscribe to via Apple Podcasts, Google Podcasts, or RSS, download the episode, or just hit the play button below.