The Ghimob Malware
Ghimob is a newly reported Trojan Horse infection that targets Android devices and spreads internationally at a rapid rate. The malware originates from Brazil, and, as online security researchers have identified, it can spy on and extract data from 153 Android apps.
According to a study published by Kaspersky, the Ghimob Trojan is suspected to have been created by the same criminal group that stands behind Astaroth (Guildma) Windows malware. What supports their suspicion is the fact that Ghimob has been distributed for download on websites and servers that have previously been used by Astaroth (Guildama), typically bundled with malicious Android applications.
The malicious actors have not been able to compromise the official Android Play Store, thus, they relied on emails and malicious websites to redirect users to pages that promote the Trojan-bundled Android apps. The apps used for the distribution of Ghimob imitated well-known apps and brands, such as Google Defender, Google Docs, WhatsApp Updater and Flash Update in order to trick users into downloading them.
Users who were careless enough to install the malicious software and bypass the displayed security alerts, allowed the Ghimob-bundled apps to access the Accessibility service and search the infected Android device for a list of 153 applications for which false login pages were displayed in an attempt to steal the users’ login credentials.
The majority of the apps that were targeted were for Banks in Brazil. However, in their report from Monday, Kaspersky explained that the Ghimob banking Trojan has extended its global reach in its recent versions to include banks in Germany, Portugal, Peru, Paraguay, Angola and Mozambique.
In addition, Ghimob has added an update to attack crypto-currency trading applications to try to obtain entry to crypto-currency accounts.
From what is available as information, it seems that this new Android banking Trojans is continuing an overarching pattern in the Android malware scene that steadily moves to target crypto-currency owners.
After every successful phishing attempt, all the passwords obtained were sent to the Ghimob malicious actors, who would then enter the account of the victim and execute unauthorized transactions.
The accounts that were protected by hardened security measures were not an issue for the criminals behind the Ghimob Trojan since they used their control over the infected Android device (via the Accessibility Service) to respond to all security checks and prompts that the attacked device would show.
The research of Ghimob shows that currently, its development corresponds to a trend in the malware market of Brazil where active local cybercriminal groups are slowly expanding their targets and aim at victims abroad.