A Brazilian based threat group named Guildma has successfully infected 153 financial applications from different banks, exchanges, and cryptocurrencies. The threat actor developed a remote access Trojan malware called Ghimob to attack Android users, obtain access to the victim’s smartphone and financial information. They are currently targeting users from Angola, Brazil, Germany, Mozambique, Paraguay, Peru, and Portugal and are inclined to expand and strike other countries.
Financial applications on our mobile phones played a prominent role in our devices. We used these applications to manage our financial information. Now, what will you do if you found out that there is espionage hiding on your Android device?
How will you know if your mobile device has been infected by Ghimob?
The attack vector of Ghimob uses Trojan Horse viruses. They trick users into downloading and installing a malware application that mimics a legitimate app such as Google Defender, Google Docs, WhatsApp updater, Flash update, bank, and cryptocurrency exchange applications. The fake applications are NOT hosted on Google Playstore but advertised on websites managed by Guildma that guarantees the user to provide a better experience on the legitimate applications. Once installed, the spy malware can check for an emulator installed on your device; if found present, it will terminate itself. However, a new version of the malware can move the emulator into an encrypted configuration file. The fraudulent application will then abuse the android’s accessibility function to manipulate the device, leverage its access, and gain persistence. It will also trigger a message notification to the cybercriminal server that contains the phone model’s information, a list of targeted applications installed with versions, and if the device has a screen lock activated.
Once the hacker gained remote access to the infected device, it will record the screen lock pattern on the mobile device, which later can be used to unlock the android phone. Ghimob will start to conceal its presence on the app drawer. Fake logins of the applications installed on the mobile device will be displayed to harvest the user’s credentials. Once the information has been gathered, the cybercriminal will inject a black screen or show a full-screen website on the android phone as an overlay technique to perform the illegal transactions in the background. Ghimob can leverage the device to respond to the security questions for the gathered accounts protected by additional security measures. Users will also encounter difficulties uninstalling the Ghimob malware as it can restart or shut down the mobile device that prevents the malicious application to be uninstalled.
Guildma is part of the Tetrade family of Brazilian banking Trojan. They are also responsible for creating Astaroth Windows malware that abuses the legitimate Windows Operating system processes and has attacked the US, Europe, Asia, and Brazil.
In summary, users and financial organizations should be cautious. They must improve the security measures as the Guildma cybercriminal continuous to enhance its capabilities and are prepared to attack other countries.