The New “Ghimob” Malware Can Monitor 153 Android Mobile Applications

Security researchers have discovered a new Android banking Trojan capable of spying on and stealing data from 153 Android applications.

The Ghimob Trojan is believed to have been developed by the same group behind the Windows Astaroth (Guildma) malware. This stems from a report published Monday by security firm Kaspersky.

According to Kaspersky, the new Android Trojan is available for download, found in malicious Android applications on websites and servers previously used by Operation Astaroth (Guildama).

It was never distributed through the official Play Store. Instead, the Ghimob group used malicious emails or websites to redirect users to websites promoting Android applications.

These apps mimicked official apps and brands, with names like Google Defender, Google Docs, WhatsApp Updater, and Flash Update. If users were reckless enough to install the applications despite all the warnings displayed on their devices, malicious applications would request access to the accessibility service as the last step in the infection process.

If allowed, the apps would search the infected phone for a list of 153 apps that had fake login pages to steal user credentials.

Most of the target applications were for Brazilian banks, but in the recently updated versions, according to Kaspersky, Ghimob expanded its capabilities to include banks in Germany (five applications), Portugal (three applications), Peru (two applications) and in Paraguay ( two applications), Angola and Mozambique (one application per country).

Additionally, Ghimob has added an update to cryptocurrency exchange apps for accessing cryptocurrency accounts. Ghimob follows a general trend in the Android malware scene that has slowly moved on to cryptocurrency owners.

Once the phishing attempt was successful, all the collected credentials were returned to the Ghimob gang, who would then gain access to the victim’s account and initiate illegal transactions.

When accounts were protected by more stringent security measures, the Ghimob gang used their full control of the device (via the Accessibility Service) to respond to security checks and prompts displayed on the compromised smartphone.

Ghimob’s features are not unique, but they copy the structure of other Android banking Trojans such as BlackRock or Alien.

Kaspersky noted that Ghimob’s development currently reflects a global trend in the Brazilian malware market, with highly active local malware gangs slowly growing to target victims in foreign countries.