A Brazil-based threat group is responsible for deploying the Ghimob banking trojan in multiple countries.
Kaspersky Labs’ Global Research and Analysis Team (GReAT) has uncovered details of a new banking trojan, which they believe is deployed by a Brazilian threat group dubbed Guildma.
The trojan is named Ghimob. It is a Remote Access Trojan that invades Android mobile devices through email disguised as related to debt payment.
The campaign is identified only four months after the Tetrade of four banking trojans, also deployed by Brazilian threat actors, which mainly targeted financial institutions in Latin America, Brazil, and Europe.
Kaspersky researchers claim that the same criminals are trying to expand their operations through infecting mobile devices in Europe, Latin America, and possibly the USA with spyware. However, it is worth noting that the trojan is being hosted on third-party domains and not on Google Play Store.
The primary targets of this Ghimob are financial apps from fintech firms, banks, cryptocurrencies, and exchanges located in Brazil, Peru, Paraguay, Portugal, Angola, Germany, and Mozambique.
“Ghimob is the first Brazilian mobile banking trojan ready to expand and target financial institutions and their customers living in other countries. The Trojan is well prepared to steal credentials from banks, fintech, exchanges, crypto-exchanges, and credit cards from financial institutions operating in many countries,” researchers noted.
Guildma uses a tried-and-tested modus operandi of phishing emails to distribute malware and lures unsuspecting users to click on malicious URLs, downloading the Ghimob APK installer. Once installed on the android device, the trojan works similarly to any other mobile RAT.
Soon after its installation, the trojan sends a message to the attacker’s server to inform its successful installation. The message includes information about the phone model, a list of apps installed on the device, and if the user has implemented lock-screen security.
According to researchers, after its installation, Ghimob helps attackers gain full control over the device remotely to take screenshots and record the text the user types in mobile apps or online fields, and use the microphone.
It hides its icon from the app drawer. It exploits the device’s accessibility features to ensure persistence, capture keystrokes, disable manual uninstallation, provide the device’s full control, and manipulate screen content. Even if the user has enabled a screen lock pattern, the banking trojan can record and replay it later to unlock the device.
“Ghimob is a full-fledged spy in your pocket: once the infection is completed, the hacker can access the infected device remotely, completing the fraudulent transaction with the victim’s smartphone, so as to avoid machine identification, security measures implemented by financial institutions and all their anti-fraud behavioral systems,” stated GReAT in its analysis.
The attacker either inserts a black screen as an overlay or open a website in full screen to perform the transaction. When the user looks at the screen, the attacker conducts a transaction using the financial app that the user has logged into or opened on the infected device.
Ghimob is targeting 153 apps, out of which 112 are of financial institutions in Brazil.