Ghimob: banker for Android that affects entities all over the world

Ghimob is the new banking trojan for Android that has joined ‘The Tetrade’, the name by which the set of Brazilian banking trojans is known, which in addition to having shared functionalities, have also begun to gradually expand throughout the world in recent months, thanks to the inclusion of new entities on their lists of affected banking entities.

Until now, practically all the banking trojans that were part of ‘The Tetrade’ group were trojans for Windows, which also shared functionalities (such as string encryption algorithms) and credential theft strategies (keylogging and remote control). On previous occasions, a family of Brazilian banking malware had already been introduced for Android mobile devices, such as BasBanke.

In this case, we have to talk about a new Brazilian banking trojan for Android that has been detected in recent months, and that has been named Ghimob. The Ghimob developers have decided to step away from the ordinary when it comes to banking malware for Android, and although their credential theft strategy is nothing new, it's not one of the most widely used. As has been seen in previous analyzes of the most popular families, such as Cerberus, GINP or BlackRock, the most common strategy that we see in most of the bankers for Android consists of the use of overlays, which consists of displaying a new view with a phishing form as soon as the opening of the bank application is detected.

This new malware, as we have seen, opts for a credential stealing strategy that's unusual for Android banking malware. And that's because theft through the accessibility event log is something that, although implemented by some of the most popular families, is not the main method used to steal credentials. Instead, operators of popular families prefer to steal credentials based on overlays that show a WebView with a phishing website.


Ghimob: the banking malware for Android that seriously affects entities all over the world

Ghimob, the new banking trojan for Android, of Brazilian origin and which started its activity only a few months ago, seems to be focused on Brazilian users and banks for the time being. 

The fact that its spread was discovered using banking trojan control servers for Windows Guildma seems to indicate that both trojans share developers.


Check how our solution can help you to resolve your company's online fraud issues by requesting a free DEMO and we explain it to you in detail.

Watch video



Posted by David Morán

David has more than 15 years’ experience in cybersecurity, systems and development, starting out in an extinct hacking team known as Badchecksum. He collaborated on Defcon 19 with the Painsec security team. He is versed in scalable environments thanks to his work at the Tuenti social network with a traffic load of over 12Gbps. He has been involved with buguroo almost since the outset and has taken part in all the tools developed by the company, including source code analysers, malware analysis, cyber intelligence, etc. He also has in-depth knowledge of the Linux kernel, having developed LKMs that acted as rootkits as well as malware for Windows environments. He is currently the head of buguroo’s development team, managing task distribution and negotiating with the Head of Technology.


We recommend you to read...