Ghimob Malware Description
The Ghimob Malware is an Android banking Trojan that redirects victims towards fake login portals for banking services. Besides collecting banking credentials, it also may compromise cryptocurrency wallets such as Bitcoin. Android users, particularly but not exclusively Brazilian ones, should avoid third-party application vendors and remove the Ghimob Malware infections with compatible anti-malware services.
An Account Hijacker Spreads Out of South America
The same threat actor responsible for Guildma, or the Astaroth Trojan, is repurposing their C&C servers for a less Windows-oriented alternative: the Ghimob Malware, which compromises Android devices. This threat uses very similar attack methods to most Brazil-based spyware that targets bank customers. However, it's also actively updated for targeting users around the world.
Campaigns for the Ghimob Malware extend as far as Europe by way of German and Portuguese variants, although the Ghimob Malware remains compatible with multiple South American nations, as well. Rather than compromising Google's Play Store, the Ghimob group establishes fake application storefront websites and entices users to install unofficial copycats of Flash updates, Google Defender and similar brand products. Multiple warnings appear during the installation routine, requiring the user's consent.
Assuming that the victim allows the application through all prompts, the Ghimob Malware establishes a payload for collecting credentials from cryptocurrency wallets and bank accounts. It redirects users to Web pages that continue the imitation brand scheme with fake login pages for banking services and cryptocurrency exchanges. Furthermore, each fork of the Ghimob Malware localizes the browser-hijacking activity by customizing it to the user's presumed nationality.
Too Much Access from the Wrong Set of Hands
Like virtually all Brazilian banking Trojans, malware experts characterize the Ghimob Malware's aims to take over financial service accounts and illegally transfer funds out of them. Android-specific Accessibility service options also grant attackers additional control over the infected device, helping with overriding security measures from the bank's end. While the Accessibility service is a default Android class for assisting the disabled, its misuse in this fashion is equivalent to a backdoor.
As a result, all users suspecting infections should turn off network access on their Android devices ASAP. Further security steps during the disinfection process should include contacting any banks related to potentially-compromised accounts and changing security information like passwords. Users also should check their cryptocurrency wallets and bank account records for unauthorized activity.
So far, malware researchers see no attacks involving the Play Store's compromise, meaning that users only acquiring applications from Google are safe from the Ghimob Malware campaign. Most Android anti-malware programs also should identify and delete the Ghimob Malware correctly.
The Internet is a hazardous place, whether one browses it on a phone or a PC. Trusting a download from the wrong 'company' is a high-stakes gamble that, frequently, pays off for criminals like the Ghimob Malware's gang – but an incredibly preventable one.
Use SpyHunter to Detect and Remove PC Threats
If you are concerned that malware or PC threats similar to Ghimob Malware may have infected your computer, we recommend you start an in-depth system scan with SpyHunter. SpyHunter is an advanced malware protection and remediation application that offers subscribers a comprehensive method for protecting PCs from malware, in addition to providing one-on-one technical support service.
Why can't I open any program including SpyHunter? You may have a malware file running in memory that kills any programs that you try to launch on your PC. Tip: Download SpyHunter from a clean computer, copy it to a USB thumb drive, DVD or CD, then install it on the infected PC and run SpyHunter's malware scanner.