New ‘Ghimob’ malware can spy on 153 Android mobile applications

Security researchers have found a new Android banking trojan that can spy and steal information from 153 Android applications.

Samsung supplies a range of smartphones — together with the A-series, S-series, Notice line, and fresh foldable.

Kaspersky says that the new Android trojan has been offered for downloading packaged within malicious Android programs on servers and sites previously used from the Astaroth (Guildama) operation.

Distribution was never completed via the official Play Store.

Rather, the Ghimob group used emails or malicious sites to divert users to websites promoting Android apps.

These apps mimicked official programs and brands, with names such as Google Defender, Google Docs, WhatsApp Updater, or Flash Update. When users were careless enough to set up the apps despite all the warnings displayed on their devices, the malicious programs would request access to this Accessibility service as a last step in the disease procedure.

If this was allowed, the apps would search the infected telephone for a list of 153 apps for which it would show bogus login pages in an effort to steal the user’s credentials.

Most of the targeted apps were for Brazilian banks, but in recently updated variants, Kaspersky said Ghimob also expanded its capacities to begin targeting banks in Germany (five apps), Portugal (three programs ), Peru (two apps), Paraguay (two programs ), Angola and Mozambique (one program per state ).

What’s more, Ghimob also included an update to target cryptocurrency exchange apps in efforts to obtain access to cryptocurrency accounts, with Ghimob after a general trend in the Android malware scene that has slowly altered to target cryptocurrency owners.

After any phishing attempt was powerful, all gathered credentials were shipped straight back to the Ghimob gang, which would subsequently get into a victim’s accounts and initiate prohibited trades.

When reports were protected with hardened safety measures, the Ghimob gang used its entire control over the device (via the Accessibility service) to respond to any safety probes and prompts shown on the assaulted smartphone.

Ghimob’s features are not unique, but really replicate the make-up of other mobile banking trojans, including BlackRock or Alien.

Kaspersky noted that Ghimob’s development currently echoes a global trend in the Brazilian malware market, together with the very busy local malware gangs slowly expanding to target victims in countries overseas.