Security researchers recently announced the arrival of a new Android-based malware called Ghimob. According to researchers at Kaspersky, Ghimob has been developed by the same tribe which created the Astaroth/Guildama malware.
Characteristically, Ghimob can steal credentials from target systems using spyware techniques. The malware is distributed in email phishing scams, where users have to click on a malicious attachment to enable Ghimob. Clicking that link distributes Ghimob to the target computer using a RAT trojan.
The malware then creates fake pop-ups, which ask the user to install certain apps. After this, hackers gain access to the target device remotely because Ghimob has stolen the safety credentials.
The malware is also distributed using malicious websites for popular apps. In this case, if a user tries to install an app by downloading it from its website, the malware enters the system through the downloaded file. It then begins to ask for permission in the infected system.
Once the user allows Ghimob to view the ‘Accessibility’ option, the malware gains permission to spy on the target. The malware will then open unnecessary login windows for apps, which will steal the user’s credentials. Ghimob can open fake login windows for 153 apps.
A few of the apps that Ghimob can use as spyware are also cryptocurrency exchange apps. Hacking a device using the ruse of a crypto exchange app gives the malware access to crypto accounts, which the hackers use to initiate illegal payments. Reportedly, 9 apps are international payment systems.
The banks in Brazil were the first ones to face Ghimob attacks. However, the malware then spread to other countries in Latin America, as well as parts of Europe and Africa. The banking apps in specific countries were targeted.