Ghimob Malware Description
The Ghimob Malware is a new banking Trojan threat released by the same threat actors that were responsible for the Astaroth (Guildma) Windows malware. It appears that with Ghimob, the hackers are following the broader trend among Brazillian cybercriminals to expand their operations from a local to a worldwide level. As such, Ghimob is equipped with functionality to collect credentials, a total of 152 different mobile applications belonging to banks, fintech companies, exchanges, and lately cryptocurrencies from a wide range of countries. While the majority of the targeted applications, 112 to be precise, are still from Brazil, it can affect 13 cryptocurrency applications and nine payment systems from different countries. In addition, it can create phishing login pages for five German banking applications, three Portugal applications, two from Peru and Paraguay, and one application from Angola and Mozambique each.
This Week In Malware Episode 32 Part 3: Ghimob Malware Spys & Steals User's Bank Details from Hundreds of Android Mobile Apps
While the main goal of Ghimob Malware is to steal credentials and banking details, it has the capabilities of a fully-fledged spyware threat. It collects and exfiltrates various system data from the device, including the phone model, if there is a screen lock active, and a list of every app installed on it. By abusing the Accessibility Mode privileges it asks for, Ghimob is able to achieve persistence on the device and prevent any attempts for manual uninstallation.
The hackers have near-complete control over the compromised devices. They can execute transactions through the installed banking applications while hiding their action through various means, such as displaying a black screen overlay or opening a website. The threat can also record the screen lock pattern for the device and replay it on command.
The infection vector is through phishing emails designed to appear as if they are sent by a financial institution or a creditor. Users are encouraged to click on links that take them to websites created by hackers. There the malware is being distributed under the guise of other legitimate applications - Google Defender, Google Docs, WhatsApp Updater, etc.
The Ghimob Malware has several anti-analysis countermeasures as part of its arsenal. Before initiating its full-scale operations, the threat checks the infected mobile device for common emulators, any debuggers potentially linked to its processor manifest file, and a possible debuggable flag. If any of the checks return a positive outcome, the malware terminates its execution.