Ghimob Malware
The Ghimob Malware is an Android banking Trojan that redirects victims towards fake login portals for banking services. Besides collecting banking credentials, it also may compromise cryptocurrency wallets such as Bitcoin. Android users, particularly but not exclusively Brazilian ones, should avoid third-party application vendors and remove the Ghimob Malware infections with compatible anti-malware services.
An Account Hijacker Spreads Out of South America
The same threat actor responsible for Guildma, or the Astaroth Trojan, is repurposing their C&C servers for a less Windows-oriented alternative: the Ghimob Malware, which compromises Android devices. This threat uses very similar attack methods to most Brazil-based spyware that targets bank customers. However, it's also actively updated for targeting users around the world.
Campaigns for the Ghimob Malware extend as far as Europe by way of German and Portuguese variants, although the Ghimob Malware remains compatible with multiple South American nations, as well. Rather than compromising Google's Play Store, the Ghimob group establishes fake application storefront websites and entices users to install unofficial copycats of Flash updates, Google Defender and similar brand products. Multiple warnings appear during the installation routine, requiring the user's consent.
Assuming that the victim allows the application through all prompts, the Ghimob Malware establishes a payload for collecting credentials from cryptocurrency wallets and bank accounts. It redirects users to Web pages that continue the imitation brand scheme with fake login pages for banking services and cryptocurrency exchanges. Furthermore, each fork of the Ghimob Malware localizes the browser-hijacking activity by customizing it to the user's presumed nationality.
Too Much Access from the Wrong Set of Hands
Like virtually all Brazilian banking Trojans, malware experts characterize the Ghimob Malware's aims to take over financial service accounts and illegally transfer funds out of them. Android-specific Accessibility service options also grant attackers additional control over the infected device, helping with overriding security measures from the bank's end. While the Accessibility service is a default Android class for assisting the disabled, its misuse in this fashion is equivalent to a backdoor.
As a result, all users suspecting infections should turn off network access on their Android devices ASAP. Further security steps during the disinfection process should include contacting any banks related to potentially-compromised accounts and changing security information like passwords. Users also should check their cryptocurrency wallets and bank account records for unauthorized activity.
So far, malware researchers see no attacks involving the Play Store's compromise, meaning that users only acquiring applications from Google are safe from the Ghimob Malware campaign. Most Android anti-malware programs also should identify and delete the Ghimob Malware correctly.
The Internet is a hazardous place, whether one browses it on a phone or a PC. Trusting a download from the wrong 'company' is a high-stakes gamble that, frequently, pays off for criminals like the Ghimob Malware's gang – but an incredibly preventable one.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.