New ‘Ghimob’ Android trojan evolves from Brazil and may spread globally
In their recent research, the security researchers have discovered a new Android banking trojan that can steal data from 153 Android applications.
Named ‘Ghimob’, the trojan spies mainly through banks, fintechs, cryptocurrencies and exchanges. The threat from the trojan is highlighted in a new report by Kaspersky.
Kaspersky says, the new Android trojan has been offered for download packed inside malicious Android apps on sites and servers previously used by the Astaroth (Guildama) operation.
Also Kaspersky warns that the new Android trojan gives a remote access of an infected device to the hacker. Once infected, the trojan can be used to complete fraudulent transactions right from the victims’ smartphones.
The report mentions that Ghimob is able to operate “even if the user has a screen lock pattern in place.” It does so by recording the screen lock pattern and then replaying it to unlock the device.
After any phishing attempt was successful, all collected credentials were sent back to the Ghimob gang, which would then access a victim’s account and initiate illegal transactions.
If accounts were protected by hardened security measures, the Ghimob gang used its full control over the device (via the Accessibility service) to respond to any security probes and prompts shown on the attacked smartphone.
Ghimob’s features aren’t unique, but actually copy the make-up of other Android banking trojans, such as BlackRock or Alien.
Kaspersky noted that Ghimob’s development currently echoes a global trend in the Brazilian malware market, with the very active local malware gangs slowly expanding to target victims in countries abroad.
In fact, the report claims Ghimob to be the first Brazilian mobile banking trojan “ready to expand and target financial institutions and their customers living in other countries.”
