A new Android banking trojan which can spy and steal data from 153 Android applications has been discovered by security researchers.
The trojan which has been named as Ghimob, is believed to have been developed by the same group responsible for the Astaroth (Guildma) Windows malware.
According to Kaspersky, the new Android trojan came along with malicious Android apps on sites and servers previously used by the Astaroth (Guildma) operation.
The distribution of the malware was not done through the official Play Store. The Ghimob group used emails or malicious sites to redirect users to websites promoting Android apps.
These apps mimicked official apps and brands, with names such as Google Defender, Google Docs, WhatsApp Updater, or Flash Update. Those users who didn’t pay much attention, carelessly installed the apps in spite of all the warnings shown on their devices. As a final step in the infection process, these malicious apps would request access to the Accessibility service.
When this permission was granted, the apps would search the infected phone for a list of 153 apps for which it would show fake login pages to steal the user’s credentials.
Most of the targeted apps were for Brazilian banks. Kaspersky said that in recently updated versions, Ghimob also started targeting banks in Germany (five apps), Portugal (three apps), Peru (two apps), Paraguay (two apps), Angola and Mozambique (one app per country).
Ghimob was also updated to target cryptocurrency exchange apps in order to access the cryptocurrency accounts.
After a successful phishing attempt, the gathered credentials were sent back to the Ghimob gang, which would then access a victim’s account and conduct illegal transactions.
In case the accounts are protected with extra security measures, the threat actors used its full control over the device to respond to any security probes and prompts shown on the attacked smartphone.
Ghimob’s features are actually copied from other Android banking trojans, such as BlackRock or Alien.