The New Ghimob Trojan Can Spy on 153 Mobile Apps and Extract Passwords

A new, very dangerous banking Trojan has been discovered by security researchers. The threat nicknamed Ghimob targets mobile phones and tablets.

Ghimob is a remote access Trojan that is believed to originate from Brazil. The bad actors behind it have so far deployed Ghimob in Latin American and European countries, but the malware is expected to hit victims in the US soon enough.

The Trojan is targeting Android devices and is spread using malicious e-mails. The fake e-mails attempt to scare the victim into thinking they have some sort of unpaid debt to financial institutions. Scare tactics are a common social engineering tool that often works surprisingly well.

Once the worried user taps a malicious link contained in the e-mail, the Trojan is downloaded and deployed on the mobile device. From this point on, Ghimob has more or less complete access to the phone or tablet.

The malware is capable of spying on over 150 different Android apps. Its malicious capabilities also include microphone access and the ability to capture any text that is entered manually on the device, including passwords. Surprisingly, the researchers also claim the RAT can even capture lock screen swipe patterns and shapes. Ghimob can also allegedly exploit biometric unlock features, using a fake black screen that silently launches a banking or financial application and tricks the user into thinking they are unlocking their phone, while in reality they are using their fingerprint to give access to the sensitive app.

Ghimob is very hard to detect

The fact that Ghimob does not access bank accounts through external devices but uses the recognized and legitimate device of the account owner makes it very hard to detect. Online security measures that a lot of financial services have in place never ring the alarm when a recognized device is used, which makes the RAT very dangerous.

Researchers with Kaspersky stated that they believe the new Trojan originates from Brazilian threat actor Guildma. The group is known to researchers and has been associated with multiple other banking Trojans in the past. While Guildma used to launch its malware primarily within Brazil, it seems like the group is expanding and testing its malware in new territories.

There is no hard evidence that Ghimob was ever used on victims inside the US.

November 13, 2020