Ghimob: banker for Android that affects entities all over the world


Ghimob is the new banking trojan for Android that has joined ‘The Tetrade’, the name by which the set of Brazilian banking trojans is known, which in addition to having shared functionalities, have also begun to gradually expand throughout the world in recent months, thanks to the inclusion of new entities on their lists of affected banking entities.

Until now, practically all the banking trojans that were part of ‘The Tetrade’ group were trojans for Windows, which also shared functionalities (such as string encryption algorithms) and credential theft strategies (keylogging and remote control). On previous occasions, a family of Brazilian banking malware had already been introduced for Android mobile devices, such as BasBanke.

In this case, we have to talk about a new Brazilian banking trojan for Android that has been detected in recent months, and that has been named Ghimob. The Ghimob developers have decided to step away from the ordinary when it comes to banking malware for Android, and although their credential theft strategy is nothing new, it's not one of the most widely used. As has been seen in previous analyzes of the most popular families, such as Cerberus, GINP or BlackRock, the most common strategy that we see in most of the bankers for Android consists of the use of overlays, which consists of displaying a new view with a phishing form as soon as the opening of the bank application is detected.

This new malware, as we have seen, opts for a credential stealing strategy that's unusual for Android banking malware. And that's because theft through the accessibility event log is something that, although implemented by some of the most popular families, is not the main method used to steal credentials. Instead, operators of popular families prefer to steal credentials based on overlays that show a WebView with a phishing website.

ghimob-frontpage_EN

Ghimob: the banking malware for Android that seriously affects entities all over the world

Ghimob, the new banking trojan for Android, of Brazilian origin and which started its activity only a few months ago, seems to be focused on Brazilian users and banks for the time being. 

The fact that its spread was discovered using banking trojan control servers for Windows Guildma seems to indicate that both trojans share developers.

 

Posted by David García

In his more than 9-year professional career, he has been involved in multiple projects, the most important being in the fields of managed security, anti-fraud and ethical hacking services, and malware analysis. He has contributed his know-how and security-related improvements to a wide variety of fraud and vulnerability analysis products. He currently oversees the smooth running of our different products and researches current fraud developments in order to showcase buguroo overseas as well as providing the development department with feedback on the latest malware and cybercriminal trends.

MALWARE PROTECTION AND ALERTING

MALWARE PROTECTION AND ALERTING

buguroo’s cloud-based fraud detection delivers a straightforward solution for detecting and stopping today’s – and tomorrow’s malware threats. Banks and their customers can be protected from one of the most malicious threats in use by cybercriminals.

LEARN HOW BUGUROO SOLVE IT

Solicita una demo

Would you like to know how our solution protects your bank?

Check how our solution can help you to resolve your company's online fraud issues by requesting a free DEMO and we explain it to you in detail.

Watch video

DID YOU LIKE IT? SHARE IN YOUR SOCIAL COMMUNITIES.