A new Android malware strain ‘Ghimob’ is mimicking third-party mobile (mainly banking) apps to spy and steal user data when downloaded and installed. This Trojan virus steals data from users, primarily targeting online banking and cryptocurrency.

As of the end of 2020, it is believed to siphon data from more than 153 apps by asking for accessibility permissions and using debugger checks. And the risk is high for victims, as attackers can bypass banking institutions’ security measures and make transactions on Android users’ smartphones.

Here is what you need to know to protect yourself from this latest malware attack.

How Ghimob Malware Works

Ghimob malware works by sitting in a mobile device and searching for banking apps. Then, it opens a door for a threat actor to steal money while another app is running as a cover.

The Ghimob group will use emails or malicious sites to redirect users to websites promoting Android apps. An email is usually sent to a user with a link. This link takes the users to an authentic-looking app, mostly provided by a fraudulent creditor. The Ghimob Trojan malware installs itself and then sends a message back to the command-and-control (C2) server containing the victims’ phone data, including the model and the screen lock details. Then, it steals sensitive user information.

These apps also mimicked official apps and brands, such as Google Defender, Google Docs, WhatsApp Updater and Flash Update.

Kaspersky Lab spotted this iteration of Ghimob malware while keeping track of a Windows malware effort conducted by the threat actors known as Guildma. The security firm learned that the campaign downloaded an APK installer for Ghimob if victims clicked on one of the campaign’s malicious URLs using an Android-based browser.

The malware’s APK installers posed as installers for popular apps. At the time of discovery, they weren’t available for download on Google’s Play Store, but were hosted on several domains registered to Guildma’s operators.

Once installed, the remote access Trojan (RAT) malware ran a series of tests to check for emulators and debuggers. It terminated itself if any of those tests came back positive. Otherwise, the Ghimob malware requested that the victims provide it with accessibility permissions.

Once granted, the RAT malware sent a message to its notification server. This included the model of the infected device, whether that Android phone had a screen lock and a list of installed apps.

Spying From the Inside

Once embedded in a phone, Ghimob uses the data it collects to keep an eye out for 153 mobile apps belonging to banks, fintechs and cryptocurrency exchanges based in Brazil, Germany, Portugal, Peru, Paraguay, Angola and Mozambique. When it finds one of those apps running on an infected device, it begins to spy on the app.

From there, the malware tells its handlers about the accessibility settings on the infected device. It does so using fallback command-and-control (C2) — in this case, hardcoded C2 providers that the Ghimob malware contacted to obtain the actual C2 address. This technique helps the malware’s handlers maintain ongoing command and control.

The Tétrade Family of Banking Trojans

Guildma is a well-known banking Trojan developed by Brazilian threat actors and found around the world. First seen in 2015, this malware has attracted security researchers’ attention by abusing Living Off the Land binaries (LOLbins) or legitimate binaries that are native to a computer, along with payloads hosted on YouTube and Facebook. These techniques have helped the threat to target users in Brazil, China and Europe.

Kaspersky Lab analyzed Guildma and its Ghimob malware in the context of the Tétrade family of banking Trojans, a group of four large banking Trojan families first created in Brazil. The Tétrade consists of Guildma as well as Javali, Melcoz and Grandoreiro.

While those are the largest banking Trojan enterprises in Brazil, there are plenty of others. Operations like AVLay and others use two-factor authentication bypasses and fake chat windows to prey upon financial institutions and their customers.

How to Defend Against Ghimob Malware

Users can defend themselves against threats, such as Ghimob malware, by following mobile security best practices. These guidelines include downloading apps from only trusted groups on official mobile app stores and keeping mobile devices up to date. Use common sense: don’t approve permissions that aren’t required for an app’s advertised purpose.

At the same time, organizations can protect users against financial services cyber threats by adding artificial intelligence and multifactor authentication into their apps. These features can help to prevent threats like Ghimob malware from using an overlay attack to gain access to a customer’s account.

More from Mobile Security

Juice jacking: Is it a real issue or media hype?

4 min read - You get off a flight and realize your phone is almost out of battery, which will make getting an Uber at your destination a bit challenging. Then you see it — a public charging station at the next gate like a pot of gold at the end of the rainbow. As you run rom-com style to the USB port, you may briefly wonder if it’s actually safe from a cybersecurity perspective to plug in your phone. The answer is technically…

Third-party app stores could be a red flag for iOS security

4 min read - Even Apple can’t escape change forever. The famously restrictive company will allow third-party app stores for iOS devices, along with allowing users to “sideload” software directly. Spurring the move is the European Union’s (EU) Digital Markets Act (DMA), which looks to ensure open markets by reducing the ability of digital “gatekeepers” to restrict content on devices. While this is good news for app creators and end-users, there is a potential red flag: security. Here’s what the compliance-driven change means for…

A view into Web(View) attacks in Android

9 min read - James Kilner contributed to the technical editing of this blog. Nethanella Messer, Segev Fogel, Or Ben Nun and Liran Tiebloom contributed to the blog. Although in the PC realm it is common to see financial malware used in web attacks to commit fraud, in Android-based financial malware this is a new trend. Traditionally, financial malware in Android uses overlay techniques to steal victims’ credentials. In 2022, IBM Security Trusteer researchers discovered a new trend in financial mobile malware that targets…

How the Mac OS X trojan Flashback changed cybersecurity

4 min read - Not so long ago, the Mac was thought to be impervious to viruses. In fact, Apple once stated on its website that "it doesn't get PC viruses". But that was before the Mac OS X Trojan Flashback malware appeared in 2012. Since then, Mac and iPhone security issues have changed dramatically — and so has the security of the entire world. In this post, we'll revisit how the Flashback incident unfolded and how it changed the security landscape forever. What…