Brazil-based hackers have recently expanded their operations worldwide with a new banking Trojan targeting Android users in multiple Latin American and European countries and may soon hit US users. Kaspersky Labs recently discovered the “Ghimob” remote access Trojan (RAT) while investigating another malware campaign. Kaspersky describes the malware as arriving on mobile devices via email purporting to be about an outstanding debt.
Victims click on an embedded link in the email and end up downloading the Trojan on their devices. Once installed, Ghimob sends a successful infection message to an attacker-controlled server. The initial message includes data on the phone model, a list of all apps on the device, and whether the user has implemented lock-screen security.
The Trojan prompts users to grant it full access rights on the Android device. Once installed, Ghimob gives attackers complete remote control of the device. They can take screenshots, use the microphone, and record all typed text. The Trojan can spy on 153 mobile apps, prevent manual uninstallation of apps, and install other apps from any source.
Ghimob also records and replaces any lock-screen pattern the user might have programmed to secure the device. Also, for fingerprint-based authentication, the malware can force a blackout screen on the phone. Because the malware uses the victim’s device to execute its crimes, most anti-fraud mechanisms at financial institutions trust the access and accept the device’s actions as legitimate. In addition to bank accounts, Ghimob also targets applications from financial services companies, exchanges, and cryptocurrencies.
Who is Behind Ghimob?
The group behind the Ghimob malware is Guildma, a Brazilian hacking group associated with a set of four banking Trojan families collectively referred to as Tetrade. In the past, the group has focused mostly on mobile users in Brazil. But now, the group has begun aggressively expanding its operations and is now a threat in countries including Angola, Germany, Mozambique, Paraguay, Peru, and Portugal.
