Android devices are prone to attacks carried out by a new banking Trojan. Dubbed Ghimob, the malware can spy and harvest data from 153 Android applications in countries such as Brazil, Paraguay, Peru, Portugal, Germany, Angola, and Mozambique.
Security research indicates that Ghimob has been developed by the same cybercriminals who coded the Astaroth Windows malware. It is noteworthy that the official Google Play Store hasn’t been abused as a distribution channel. For this purpose, the hackers used malicious Android apps on sites and servers previously deployed by Astaroth.
Astaroth is a well-known player in the field of banking Trojans. One of its latest updates was observed in May earlier this year. Cisco Talos researchers detected that Astaroth got equipped with advanced obfuscation and anti-analysis techniques. The May campaigns also displayed an innovative use of YouTube channel descriptions used for encoded command-and-control communications.
Ghimob Banking Trojan: What Is Known So Far
According to Kaspersky, “Ghimob is a full-fledged spy in your pocket.” As soon as the infection finishes, threat actors can access the affected device remotely. The fraudulent transaction is done on the compromised device so that machine identification is bypassed. Any security measures implemented by financial institutions are also circumvented.
“Even if the user has a screen lock pattern in place, Ghimob is able to record it and later replay it to unlock the device,” the researchers warn. The transaction happens by inserting a black screen as an overlay or opening a website in full screen. While the user is distracted by looking at the screen, the hacker carries out the transaction in the background by utilizing the financial app the victim has already opened or logged in to.
The observed malicious campaigns took advantage of official apps and names, such as Google Defender, Google Docs, WhatsApp Updater, Flash Update. Once the malicious apps are installed, they would request access to the Accessibility service. This is the final stage of the infection mechanism.
Advanced Threat with Strong Persistence
The Ghimob Trojan also uses command-and-control servers protected by Cloudflare and hides its real C2 with DGA (domain generation algorithm). In a nutshell, the malware utilizes several tricks, posing as a strong competitor in this field, Kaspersky notes. There is still no sign whether it is used as a malware-as-a-service. One thing is certain, though – this is an example of an advanced and versatile malware with strong persistence.
Kaspersky’s recommendation is “that financial institutions watch these threats closely, while improving their authentication processes, boosting anti-fraud technology and threat intel data, and trying to understand and mitigate all of the risks that this new mobile RAT family poses.”