Tag Archive for: Ghimob

What is Ghimob Malware?


A new Android malware strain ‘Ghimob’ is mimicking third-party mobile (mainly banking) apps to spy and steal user data when downloaded and installed. This Trojan virus steals data from users, primarily targeting online banking and cryptocurrency.

As of the end of 2020, it is believed to siphon data from more than 153 apps by asking for accessibility permissions and using debugger checks. And the risk is high for victims, as attackers can bypass banking institutions’ security measures and make transactions on Android users’ smartphones. 

Here is what you need to know to protect yourself from this latest malware attack.

How Ghimob Malware Works

Ghimob malware works by sitting in a mobile device and searching for banking apps. Then, it opens a door for a threat actor to steal money while another app is running as a cover.

The Ghimob group will use emails or malicious sites to redirect users to websites promoting Android apps. An email is usually sent to a user with a link. This link takes the users to an authentic-looking app, mostly provided by a fraudulent creditor. The Ghimob Trojan malware installs itself and then sends a message back to the command-and-control (C2) server containing the victims’ phone data, including the model and the screen lock details. Then, it steals sensitive user information.

These apps also mimicked official apps and brands, such as Google Defender, Google Docs, WhatsApp Updater and Flash Update.

Kaspersky Lab spotted this iteration of Ghimob malware while keeping track of a Windows malware effort conducted by the threat actors known as Guildma. The security firm learned that the campaign downloaded an APK installer for Ghimob if victims clicked on one of the campaign’s malicious URLs using an Android-based browser.

The malware’s APK installers posed as installers for popular apps. At the time of discovery, they weren’t available for download on Google’s Play Store, but were hosted on several domains registered to Guildma’s operators.

Once installed, the remote access Trojan (RAT) malware ran a series of tests to check for emulators and debuggers. It terminated itself if any of those tests came…

Source…

Kaspersky discovers Ghimob banking malware targets mobile users worldwide – Back End News


When monitoring a Windows campaign from Guildma banking malware, Kaspersky researchers found URLs distributing not only a malicious .ZIP file for Windows, but also a malicious file that appeared to be a downloader to install Ghimob, a new banking Trojan.

Upon infiltrating Accessibility Mode, Ghimob can gain persistence and disable manual uninstallation, capture data, manipulate screen content, and provide full remote control to the actors behind it. According to experts, the developers of this “very typical” mobile Remote Access Trojan (RAT) are heavily focused on users in Brazil but have big plans to expand across the globe. The campaign is still active.

“Latin American cybercriminals’ desire for a mobile banking Trojan with a worldwide reach has a long history,” said Fabio Assolini, security expert at Kaspersky. “We have already seen Basbanke, then BRata, but both were heavily focused on the Brazilian market. In fact, Ghimob is the first Brazilian mobile banking Trojan ready for international expansion.”

Kaspersky explains threats in APAC’s manufacturing industry

Kaspersky’s report shows phishing rampant on social media, messaging apps

Guildma, a threat actor, which is part of the infamous Tétrade series, known for its scalable malicious activities both in Latin America and other parts of the world, has been working actively on new techniques, developing malware, and targeting fresh victims.

Spying on 153 mobile apps

Its new creation — the Ghimob banking Trojan — lures victims into installing the malicious file through an email which suggests that the person receiving it has some kind of debt. The email also includes a link for the victim to click on so they can find out more information. Once the RAT is installed, the malware sends a message about the successful infection to its server. The message includes the phone model, whether it has lock screen security, and a list of all installed apps that the malware can target. In total, Ghimob can spy on 153 mobile apps, mainly from banks, fintech companies, cryptocurrencies, and exchanges.

When it comes to functions, Ghimob is a spy in the victim’s pocket. Developers can remotely…

Source…