Ghimob is the new banking trojan for Android that has joined ‘The Tetrade’, the name by which the set of Brazilian banking trojans is known, which in addition to having shared functionalities, have also begun to gradually expand throughout the world in recent months, thanks to the inclusion of new entities on their lists of affected banking entities.
Until now, practically all the banking trojans that were part of ‘The Tetrade’ group were trojans for Windows, which also shared functionalities (such as string encryption algorithms) and credential theft strategies (keylogging and remote control). On previous occasions, a family of Brazilian banking malware had already been introduced for Android mobile devices, such as BasBanke.
In this case, we have to talk about a new Brazilian banking trojan for Android that has been detected in recent months, and that has been named Ghimob. The Ghimob developers have decided to step away from the ordinary when it comes to banking malware for Android, and although their credential theft strategy is nothing new, it's not one of the most widely used. As has been seen in previous analyzes of the most popular families, such as Cerberus, GINP or BlackRock, the most common strategy that we see in most of the bankers for Android consists of the use of overlays, which consists of displaying a new view with a phishing form as soon as the opening of the bank application is detected.
This new malware, as we have seen, opts for a credential stealing strategy that's unusual for Android banking malware. And that's because theft through the accessibility event log is something that, although implemented by some of the most popular families, is not the main method used to steal credentials. Instead, operators of popular families prefer to steal credentials based on overlays that show a WebView with a phishing website.