Ghimob Malware
Targeting Financial Android Apps, Offers Remote Access to Hacker: Kaspersky
Kaspersky says
Ghimob spies on 153 mobile apps, mainly from banks, fintechs, cryptocurrencies
and exchanges.
New remote access Trojan called Ghimob has been targeting financial
Android apps from banks, fintech's, exchanges and cryptocurrencies in Brazil,
Paraguay, Peru, Portugal, Germany, Angola and Mozambique, security researchers
at Kaspersky have discovered. This Trojan is said to have been deployed by a
Brazil-based threat group Guildma - an actor part of the Tetrade family of
banking Trojans - that was behind the recent Astaroth Windows malware as well.
Once the Trojan is deployed on an Android smartphone, the hacker can access the
infected device remotely, completing fraudulent transaction with the victim's
smartphone without consent.
Kaspersky discovered the
Ghimob Trojan (specifically, the Trojan-Banker. Android OS. Ghimob family of
Trojan) while investigating another malware campaign. The Trojan is spread via
email that pretends to be from a creditor and provides a link where the
recipient could view more information, while
the app
itself pretends to be Google Defender, Google Docs, WhatsApp Updater, etc. If
the recipient falls for the scam and clicks on the link in an Android-based
browser, the Ghimob APK installer gets downloaded on their smartphones.
Once infection is completed, the malware proceeds to send a message to
the hacker. This includes the phone model, whether it has screen lock
activated, and a list of all installed apps that the malware has as a target
including version numbers. Kaspersky says Ghimob spies on 153 mobile apps,
mainly from banks, fintechs, cryptocurrencies and exchanges. The report says
that this includes about 112 apps from institutions in Brazil, 13 cryptocurrency
apps from different countries, nine international payment systems, five bank
apps in Germany, three bank apps in Portugal, two apps in Peru, two in
Paraguay, and one app each from Angola and Mozambique as well.
ith Ghimob, the hacker can access the infected device remotely,
completing the fraudulent transaction with the victim's smartphone, so as to
avoid machine identification, security measures implemented by financial
institutions and all their antifraud behavioural systems. The hacker is also
able to bypass screen lock, by recording it and later replaying it to unlock
the device. “When the cybercriminal is ready to perform the transaction, they
can insert a black screen as an overlay or open some website in full screen, so
while the user looks at that screen, the criminal performs the transaction in
the background by using the financial app running on the victim's smartphone
that the user has opened or logged in to,” researchers at Kaspersky explain.
Ghimob tries to hide its presence by hiding the icon from the app
drawer. The malware also blocks the user from uninstalling it, restarting or
shutting down the phone. Kaspersky cautions, “Ghimob is the first Brazilian
mobile banking trojan ready to expand and target financial institutions and their
customers living in other countries. Our telemetry findings have confirmed
victims in Brazil, but as we saw, the trojan is well prepared to steal
credentials from banks, fintechs, exchanges, crypto-exchanges and credit cards
from financial institutions operating in many countries, so it will naturally
be an international expansion.
ConversionConversion EmoticonEmoticon