Ghimob is a new Android banking Trojan discovered by Kaspersky that is able to steal data from 112 financial apps.
In July, cybersecurity researchers from Kaspersky Lab have detailed four different families of Brazilian banking trojans, tracked as Tetrade, that have targeted financial institutions in Brazil, Latin America, and Europe.
The four malware families are named Guildma, Javali, Melcoz, and Grandoreiro, experts believe are the result of a Brazilian banking group/operation that is evolving its capabilities targeting banking users abroad.
The Brazilian cybercrime underground is recognized as the most focuses on the development and commercialization of banking trojans.
Now the experts from Kaspersky’s Global Research and Analysis Team (GReAT) gathered further evidence that demonstrates that malware operators behind Tetrade, tracked as Guildma, have expanded their tactics to infect mobile devices with spyware.
Ghimob was designed to target financial apps from banks, fintech companies, exchanges, and cryptocurrencies in Brazil, Paraguay, Peru, Portugal, Germany, Angola, and Mozambique.
“Ghimob is a full-fledged spy in your pocket: once infection is completed, the hacker can access the infected device remotely, completing the fraudulent transaction with the victim’s smartphone, so as to avoid machine identification, security measures implemented by financial institutions and all their anti-fraud behavioral systems,” reads the report published by Kaspersky.
Ghimob Trojan is able to record a screen lock pattern in place and later replay it to unlock the device. When the attackers have to perform the transaction, they can display a black screen as an overlay or open some website in full screen, to trick the victim into looking at that screen while performing the transaction in the background by using one of the financial apps running on the victim’s device that the user has opened or logged in to.
Experts noticed that Ghimob shares the C2 infrastructure as that of Guildma, threat actors use the same TTPs continuing to launch phishing emails to spread the malware. The messages were devised to trick unsuspecting users into clicking malicious URLs that downloads the Ghimob APK installer.
Ghimob is also interesting in the way it uses C2s with fallback protected by Cloudflare, hiding the real C2 with DGA and employing several other tricks. Compared to other BRATA or Basbanke, Ghimob is far more advanced and implements a wide range of features.
The Trojan supports common functions similar to other mobile RATs, such us the capability to mask its presence by hiding the icon from the app drawer and abuses Android’s accessibility features.
“While monitoring a Guildma Windows malware campaign, we were able to find malicious URLs used for distributing both ZIP files for Windows boxes and APK files, all from the same URL. If the user-agent that clicked the malicious link is an Android-based browser, the file downloaded will be the Ghimob APK installer.” continues the analysis.
“The APKs thus distributed are posing as installers of popular apps; they are not on Google Play but rather hosted in several malicious domains registered by Guildma operators. Once installed on the phone, the app will abuse Accessibility Mode to gain persistence, disable manual uninstallation and allow the banking trojan to capture data, manipulate screen content and provide full remote control to the fraudster: a very typical mobile RAT.”
Ghimob is the first Brazilian mobile banking trojan ready to target financial institutions and their customers in many other countries worldwide.
“The Trojan is well prepared to steal credentials from banks, fintechs, exchanges, crypto-exchanges, and credit cards from financial institutions operating in many countries.” concludes the report.
“Ghimob is the first Brazilian mobile banking trojan ready to expand and target financial institutions and their customers living in other countries. The Trojan is well prepared to steal credentials from banks, fintechs, exchanges, crypto-exchanges, and credit cards from financial institutions operating in many countries.”
(SecurityAffairs – hacking, Ghimob)