Four months after security researchers uncovered a “Tetrade” of four Brazilian banking Trojans targeting financial institutions in Brazil, Latin America, and Europe, new findings show that the criminals behind the operation have expanded their tactics to infect mobile devices with spyware.
According to Kaspersky’s Global Research and Analysis Team (GReAT), the Brazil-based threat group Guildma has deployed “Ghimob,” an Android banking Trojan targeting financial apps from banks, fintech companies, exchanges, and cryptocurrencies in Brazil, Paraguay, Peru, Portugal, Germany, Angola, and Mozambique.
“Ghimob is a full-fledged spy in your pocket: once infection is completed, the hacker can access the infected device remotely, completing the fraudulent transaction with the victim’s smartphone, so as to avoid machine identification, security measures implemented by financial institutions and all their anti-fraud behavioral systems,” the cybersecurity firm said in a Monday analysis.
In addition to sharing the same infrastructure as that of Guildma, Ghimob continues the modus operandi of using phishing emails as a mechanism to distribute the malware, luring unsuspecting users into clicking malicious URLs that downloads the Ghimob APK installer.
The Trojan, once installed on the device, functions a lot similar to other mobile RATs in that it masks its presence by hiding the icon from the app drawer and abuses Android’s accessibility features to gain persistence, disable manual uninstallation and allow the banking trojan to capture keystrokes, manipulate screen content and provide full remote control to the attacker.
“Even if the user has a screen lock pattern in place, Ghimob is able to record it and later replay it to unlock the device,” the researchers said.
“When the cybercriminal is ready to perform the transaction, they can insert a black screen as an overlay or open some website in full screen, so while the user looks at that screen, the criminal performs the transaction in the background by using the financial app running on the victim’s smartphone that the user has opened or logged in to.”
What’s more, Ghimob targets as many as 153 mobile apps, 112 of which are financial institutions based in Brazil, with cryptocurrency and banking apps in Germany, Portugal, Peru, Paraguay, Angola, and Mozambique accounting for the rest.
“Ghimob is the first Brazilian mobile banking trojan ready to expand and target financial institutions and their customers living in other countries,” Kaspersky researchers concluded. “The Trojan is well prepared to steal credentials from banks, fintechs, exchanges, crypto-exchanges, and credit cards from financial institutions operating in many countries.”