Ghimob: New banking trojan that also targets crypto exchange apps

[cryptomaniac_xxx]

There is a new Android banking malware which evolves to steal crypto users credentials as well. And it used to target Brazilian banks, but now it has grown and evolved and expanded it targets to include other banking system as well.

Most of the targeted apps were for Brazilian banks, but in recently updated versions, Kaspersky said Ghimob also expanded its capabilities to start targeting banks in Germany (five apps), Portugal (three apps), Peru (two apps), Paraguay (two apps), Angola and Mozambique (one app per country).

Furthermore, Ghimob also added an update to target cryptocurrency exchange apps in attempts to gain access to cryptocurrency accounts, with Ghimob following a general trend in the Android malware scene that has slowly shifted to target cryptocurrency owners.

After any phishing attempt was successful, all collected credentials were sent back to the Ghimob gang, which would then access a victim's account and initiate illegal transactions.

So do not download anything that mimicked the following.

• Google Defender
• Google Docs
• WhatsApp Update
• Flash Update

https://www.zdnet.com/article/new-ghimob-malware-can-spy-on-153-android-mobile-applications/

In did not mentioned which crypto apps in it, but according to this report, it's 13 crypto apps from different countries.

[1713576958]

1713576958

[1713576958]

1713576958

[1713576958]

1713576958

[1713576958]

1713576958

[1713576958]

1713576958

[DdmrDdmr]

I’ve searched around for the list of targeted apps, but it is still nowhere to be found.

So what Ghimob does once installed and camouflaged, is read fields from the current active window, searching for specific terms, and then sends this information over to the hacker. Information such as login credentials, balance and statements are gathered, so the hacker will get to know both the financial status, and how to access the targeted accounts.

https://securelist.com/ghimob-tetrade-threat-mobile-devices/99228/

[btc_angela]

And what it more scary is that the security researchers didn't disclose the supposedly thirteen crypto related apps that has been targeted by this malware or trojan. Although it started to just attack Brazilian apps, it has forked to other banking apps within it's neighbours so it is very dangerous.

"Germany (five apps), Portugal (three apps), Peru (two apps), Paraguay (two apps), Angola and Mozambique (one app per country)."

Also worth to mentioned that the way they distributed this malicious apps is thru emails and not from Google Play Store.

[TravelMug]

And what it more scary is that the security researchers didn't disclose the supposedly thirteen crypto related apps that has been targeted by this malware or trojan. Although it started to just attack Brazilian apps, it has forked to other banking apps within it's neighbours so it is very dangerous.

So the best option for us right now and not to trust anything, specially countries mentioned in the research.

Also worth to mentioned that the way they distributed this malicious apps is thru emails and not from Google Play Store.

Again, this is very old tactic, even prior to the advent of crypto scams, emails is the only attack vector for this cyber criminals. So have a good security practice, educate ourselves, check everything before clicking any links or our inbox. Even if the source of the email is known to us, we still need to be skeptical.

[cryptomaniac_xxx]

I’ve searched around for the list of targeted apps, but it is still nowhere to be found.

I also have to dig deeper and found this one, it only mention Bittrex that time, but it has really evolved to target more of crypto exchanges/apps (I will just assumed here).

Upon in-depth analysis of the library code, we can see a list of targets in some of the samples. Depending on the sample analyzed, cryptocurrency websites, such as Bittrex, or payment solutions, such as Mercado Pago, a very popular retailer in Latin America, are also targeted. To capture login credentials from all the previously listed websites, Javali monitors processes to find open browsers or custom banking applications. The most common web browsers thus monitored are Mozilla Firefox, Google Chrome, Internet Explorer and Microsoft Edge.

Sources:

https://malpedia.caad.fkie.fraunhofer.de/details/win.astaroth
https://securelist.com/the-tetrade-brazilian-banking-malware/97779/

[boyptc]

Calmly, I see the list and I don't use most of them.

And for the people who like accessing their bank accounts through browsers and official banking apps, they need to be more aware of this. I guess many of the folks here are doing it.

Nothing to worry about if they know how to protect themselves by not clicking unwanted email links and avoiding downloading unwanted apps.

[TravelMug]

[..snip..]

Well it mentioned Bittrex, but top ten exchanges like Binance and Coinbase has been in their crosshairs.

And thanks for updating it, at least even though I don't reside on the countries mention, it is still better to be aware that there is a potential for cyber actors that this kind of trojans can developed gradually and could target more banking apps and more crypto exchange apps.

[libert19]

And what it more scary is that the security researchers didn't disclose the supposedly thirteen crypto related apps that has been targeted by this malware or trojan. Although it started to just attack Brazilian apps, it has forked to other banking apps within it's neighbours so it is very dangerous.

So the best option for us right now and not to trust anything, specially countries mentioned in the research.

It's good to not trust anything anyway because it usually takes a while for security firms to detect the new viruses/trozens. One simple thing android users can do is to be careful about permissions they give to apps.