skip to Main Content

Cybercrime: here it comes Ghimob, last mobile banking trojan

Kaspersky: Ghimob is last mobile banking trojan designed by Guildma cybertcrime actors. It xploits Accessibility Mode to gain persistence, disable manual uninstallation and capture data, manipulate screen content and provide full remote control to the fraudster

Ghimob is a new malware, a banking trojan, designed by Guildma cybercrime actor to infect mobile devices. It has been discovered by Kaspersky cybersecurity experts. The APKs are posing as installers of popular apps. Once installed on the phone, the app will abuse Accessibility Mode to gain persistence, disable manual uninstallation and allow the banking trojan to capture data, manipulate screen content and provide full remote control to the fraudster: a very typical mobile RAT. The lure to let the victim install the malicious file is used an email. It’s written as if from a creditor and provides a link where the recipient could view more information, while the app itself pretends to be Google Defender, Google Docs, WhatsApp Updater, etc. Victims of Ghimob are located in Latin America and partially in Africa at the moment, but the malware plans to expand abroad.

The cybersecurity experts: The malware uses email as a vector

According cybersecurity experts, Guildma is a threat actor that is part of the Tétrade family of banking trojans. The cybercrime group has been working on bringing in new techniques, creating new malware and targeting new victims. Last one is Ghimob, that targeta financial apps from banks, fintechs, exchanges and cryptocurrencies in Brazil, Paraguay, Peru, Portugal, Germany, Angola and Mozambique. Who controls the trojan, in fact, can access the infected device remotely, completing the fraudulent transaction with the victim’s smartphone, so as to avoid machine identification, security measures implemented by financial institutions and all their antifraud behavioral systems.

Back To Top