Kaspersky: Ghimob Malware Started in Brazil But Is Spreading
A recently uncovered banking Trojan targeting Android devices can spy on over 150 apps, including those of banks, cryptocurrency exchanges and fintech firms, as a way to gather credentials and other data, according to an analysis by security firm Kaspersky.
This malware dubbed Ghimob, which was developed by fraudsters in Brazil and is currently in use there, has also targeted apps associated with banks and their customers in Germany, Portugal, Peru, Paraguay, Angola and Mozambique, according to the report.
The Trojan appears to be linked to several other malware variants developed by the same Brazilian cybercriminal group, Kaspersky reports. These banking Trojans are collectively known as Tétrade, an umbrella term for four distinct malware strains: Guildma, Javali, Melcoz and Grandoreiro.
Since 2011, the operators behind the Tétrade family of Trojans have mainly targeted financial institutions in Brazil. In recent months, however, the fraudsters have started expanding globally, reengineering the malware to better evade security tools (see: Brazilian Banking Trojans Spread to Other Nations ).
“Brazilian cybercriminals are very active and are creating new banking Trojans for desktop and mobile platforms,” Fabio Assolini, a security expert at Kaspersky, tells Information Security Media Group. “Right now, they are in a move to expand their attacks abroad, and Ghimob is one important step in this movement.”
The Kaspersky researchers first came across the Ghimob Trojan in August while examining a Windows campaign related to another malware strain circulating in Brazil.
“We believe this campaign could be related to the Guildma [Brazilian banking Trojan] threat actor for several reasons, but mainly because they share the same infrastructure,” according to the report. “It is also important to note that the protocol used in the mobile version is very similar to that used for the Windows version.”
Unlike other types of Android-focused malware, the Ghimob Trojan does not disguise itself as a legitimate app that is hidden within the official Google Play Store (see: Spyware Campaign Leverages Apps in Google Play Store).
Instead, the fraudsters attempt to lure victims into installing a malicious file through a phishing or spam email that suggests that the recipient has some kind of debt, according to the report. The message includes an “informational” link for the victim to click on, which starts the malware delivery.
The malicious link is usually disguised to appear as either a Google Defender, Google Doc or a WhatsApp Updater, according to the report. If opened, it installs the Ghimob Trojan within the device. The malware’s first step is to check for any emulators or debuggers which, if found, are terminated.
If there are no security tools present in the compromised Android device, Ghimob connects to a command-and-control server and starts sending back details such as the phone model, whether the device has lock screen security and a list of all installed apps that the malware can target, according to the report.
Then the Trojan, which is known for its ability to harvest credentials and a wide range of other data, can target up to 150 banking and financial apps, most of which are used in Brazil. The Kaspersky report notes that the list of targeted apps is likely to expand as the fraudsters’ ambitions grow.
“Even if the user uses a lock screen pattern, Ghimob is able to record it and replay it to unlock the device,” according to Kaspersky. “When the actors are ready to perform a fraudulent transaction, they can insert a blank or black screen overlay or open some websites in full screen. Then, while the user looks at that screen, the attackers perform the fraudulent transaction in the background, using the already opened or logged-in financial app running on the device.”
The Kaspersky report also notes that Ghimob can block a user from attempting to uninstall the Trojan. The malware can also shut down and restart a device.
The malware also uses domain generation algorithms as a way to disguise its command-and-control IP address to help evade security tools, according to the report.