Beware of Ghimob, a trojan that spies up to 153 apps on Android
Source: HW Upgrade added 10th Nov 2020
Ghimob is a malware that takes targeting banking apps, trying to steal credentials to make unauthorized transactions
of Andrea Bai published on 10 November 2020 , at 16: 20 in the Security channel
Kaspersky
Kaspersky security researchers have identified a new malware for Android with remote access functionality and capable of stealing sensitive information from various applications: it is Ghimob, a predominantly banking Trojan that appears to have been developed by the same hand that animated the Astaroth malware for Windows.
Ghimob has never been distributed through the Play Store: its diffusion took place through phishing campaigns that lead to counterfeit websites, previously used for Astaroth. On these sites there are apps and links that mimic official resources with names like Google Defender, Google Docs, WhatsApp Updater or Flash Update .
Ghimob is the Android malware that steals the login credentials of home banking apps
If one of these counterfeit apps should be downloaded and installed, it takes care to ask for permission to use the accessibility services as an end stage of the compromise process. In the event that the user authorizes this request, the malware proceeds to identify whether one or more of the 153 specific apps for which to show fake login pages in order to steal the user’s login credentials .
Most of these apps are related to Brazilian banking institutions, but Kaspersky researchers have identified in the latest versions of the malware the possibility of going to spy on the apps of five German banks , three Portuguese, two Peruvian, two Paraguayan and one each for Angola and Mozambique and with further expansion plans. And it doesn’t stop there: in addition to banking services apps, Ghimob also targets cryptocurrency exchange services apps.
In the event that Ghimob manages to recover credentials, sends them to its authors who can thus access the victims’ accounts and perform unauthorized transactions. Should any of these accounts be protected by more robust security measures, such as two-factor authentication, Ghimob allows you to remotely take control of the victim’s smartphone allowing attackers to intercept the verification measures.
Ghimob’s features have already been encountered in other banking trojans such as BlacRock or Alien. Finally, Kaspersky highlights how Ghimob’s development follows a fairly common trend in the Brazilian malware landscape which sees gangs initially very active towards local realities, then slowly expanding to hit victims even in foreign countries.