A new banking trojan called Ghimob has reportedly been infecting mobile devices across the world, targeting financial apps from banks, fintechs, exchanges and cryptocurrencies. The remote access trojan (RAT) is said to have been deployed by the same Brazilian hacking syndicate that operates a well-known Latin American banking malware, Guildma.
Originally detailed by cyber-security firm, Kaspersky, the newly-discovered spyware has been infecting devices in Brazil, Paraguay, Peru, Portugal, Germany, Angola and Mozambique. As of now, all victims are in Brazil, but the hackers behind the malware are apparently planning to expand their operations globally.
According to the researchers, Ghimob (Trojan-Banker.AndroidOS.Ghimob) is a full-fledged Android spyware that allows hackers remote access to compromised devices, enabling them to make fraudulent transaction with the victim’s smartphone whilst avoiding security measures implemented by financial institutions. “Even if the user has a screen lock pattern in place, Ghimob is able to record it and later replay it to unlock the device”, said the report.
The malware is reportedly downloaded onto client devices when an unsuspecting user clicks on a malicious URL send via emails. The URL that distributes the malicious APKs on Android is apparently the same as the one that offers up malware-laden ZIP files for Windows. “If the user-agent that clicked the malicious link is an Android-based browser, the file downloaded will be the Ghimob APK installer (instead of a Guildma ZIP File for Windows)”, said Kaspersky.
According to the report, the APKs thus distributed are posing as installers of popular apps, including Google Defender, Google Docs, WhatsApp Updater, etc. “Once installed on the phone, the app will abuse Accessibility Mode to gain persistence, disable manual uninstallation and allow the banking trojan to capture data, manipulate screen content and provide full remote control to the fraudster”, said the researchers.