Ghimob, the new banking trojan for Android, of Brazilian origin and which started its activity only a few months ago, is spreading like wildfire and affects banks all over the world.
The fact that its spread was discovered using Windows Guildma banking trojan control servers seems to indicate that both trojans share developers.
When it comes to banking malware, we find that the vast majority of families don't stick to the basic functionality of credential-stealing malware, but rather their developers try to maximize their ability to attract buyers.
The business isn't limited to trying to give the buyer as much functionality as possible, but they use the same marketing strategies as in any other legal business: promotions, trial periods for their products, etc.
This potential new family shares certain similarities with Cerberus and Eventbot, although it doesn't seem to be either of the two due to certain key differences, such as the encryption of the data sent and received from the control server and the commands that can be executed on the device through the server.
We've discarded the possibility of it being a new iteration of one of these two families, since it doesn't present one of the most important characteristics that complicates their analysis: the encryption and obfuscation of text strings.
Since March, there have been signs of a new trojan in the sphere of banking malware for Android. The name given to this new family is ‘Eventbot’. This is mainly due to the fact that the word ‘event’ is used in the malicious app package identifier, probably because of its novel functionality of using accessibility events to steal credentials.
Most banking trojans use accessibility events to detect when an application is opened, before showing a webinject with a phishing form that siphons off the victim’s credentials.
BasBanke, also known as CoyBot, has been very active in recent weeks, in the form of new propagation campaigns for new samples in which it has not only supplanted other brands to make the user believe that it is a legitimate application, but has also impersonated to banking entities in specific versions that only affect said entities.
There have been no changes at a technical level with respect to past campaigns. However, the big news is the inclusion of new affected banking entities.
What should we expect in the future? For the future we can expect more malware, mainly Ransomware. Ransomware attacks increased significantly in 2019, and don’t only attack users anymore. .
There have been attacks on companies, seeking to obtain the greatest possible benefit. Hijacking user documents is one of the best ways to earn money, since users desperate to recover them may end up paying to do so.
Although malware for mobile devices has gained popularity in recent years due to the rise of smartphones, where almost anything can be managed today, desktop malware is still there.
Moreover, with the improvements introduced in threat detection, it is the malware developers who evolve and include increasingly complex functionalities to achieve their objective and steal banking credentials.
Theft of banking credentials is based on 'overlays' that are shown to the user when he or she starts the legitimate application of the affected bank. In addition to the use of 'overlays', GINP uses the same techniques as the rest of the Android banking Trojans to detect the start of legitimate apps, implementing an accessibility service that receives the events that occur in the user interface.
It is especially curious that this malware has gone from being a spy Trojan to being a banking Trojan which, additionally, only affects Spanish banking entities. This indicates that these samples are specially designed to affect Spanish users.
The samples arrived through our automatic malware analysis systems, and the propagation vectors used by the criminals could not be found in the study made.
Probably, as usual with this type of malware, the distribution of the malicious APK was effected through fraudulent web pages.
Trojans of the Host Modifier type are usually distributed through fake SPAM emails, in which it is common for the attacker to impersonate public agencies or companies. This modus operandi is not exclusive to this malware family, as we can see that there are other families that affect Latin American entities and also use these tricks.