Bitcoin Forum
July 14, 2025, 11:13:04 AM *
News: Latest Bitcoin Core release: 29.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: Ghimob: New banking trojan that also targets crypto exchange apps  (Read 105 times)
cryptomaniac_xxx (OP)
Hero Member
*****
Offline Offline

Activity: 1932
Merit: 642



View Profile
November 10, 2020, 07:06:16 AM
Merited by Yaunfitda (2), Baofeng (2), DdmrDdmr (2), Jating (1), TravelMug (1), btc_angela (1), SquirrelJulietGarden (1)
 #1

There is a new Android banking malware which evolves to steal crypto users credentials as well. And it used to target Brazilian banks, but now it has grown and evolved and expanded it targets to include other banking system as well.

Quote
Most of the targeted apps were for Brazilian banks, but in recently updated versions, Kaspersky said Ghimob also expanded its capabilities to start targeting banks in Germany (five apps), Portugal (three apps), Peru (two apps), Paraguay (two apps), Angola and Mozambique (one app per country).

Furthermore, Ghimob also added an update to target cryptocurrency exchange apps in attempts to gain access to cryptocurrency accounts, with Ghimob following a general trend in the Android malware scene that has slowly shifted to target cryptocurrency owners.

After any phishing attempt was successful, all collected credentials were sent back to the Ghimob gang, which would then access a victim's account and initiate illegal transactions.



So do not download anything that mimicked the following.

  • Google Defender
  • Google Docs
  • WhatsApp Update
  • Flash Update

https://www.zdnet.com/article/new-ghimob-malware-can-spy-on-153-android-mobile-applications/

In did not mentioned which crypto apps in it, but according to this report, it's 13 crypto apps from different countries.

 
 RAZED  
███████▄▄▄████▄▄▄▄
████▄███████████████
██▄██████▀▀████▀▀█████▄
████
██████████████
▄████████▄████████████▄
████████▀███████████▄
██████████████▐█▄█▀████████
▀████████████▌▐█▀██████████
▀███████████▌▀████████████
█████████▄▄▄
█████▄▄██████
████████████████████████
█████▀█████████████████▀
██████████████
▄▄███████▄▄
▄███████████████
▄███████████████████▄
█████████████████████▄
▄███████████████████████▄
████████████████████████
█████████████████████████
██████████████████████
▀█████
█████████████████▀
▀█
████████████████████▀
▀█████
█████████████
▀███████████████▀
█████████
 
RAZED ORIGINALS
SLOTS & LIVE CASINO
SPORTSBOOK
|
 NO 
KYC
 
 RAZE THE LIMITS   PLAY NOW 
DdmrDdmr
Legendary
*
Offline Offline

Activity: 2744
Merit: 11168


There are lies, damned lies and statistics. MTwain


View Profile WWW
November 10, 2020, 07:47:55 AM
Merited by cryptomaniac_xxx (1)
 #2

I’ve searched around for the list of targeted apps, but it is still nowhere to be found.

So what Ghimob does once installed and camouflaged, is read fields from the current active window, searching for specific terms, and then sends this information over to the hacker. Information such as login credentials, balance and statements are gathered, so the hacker will get to know both the financial status, and how to access the targeted accounts.

https://securelist.com/ghimob-tetrade-threat-mobile-devices/99228/
btc_angela
Hero Member
*****
Offline Offline

Activity: 2982
Merit: 611



View Profile
November 10, 2020, 08:44:19 AM
Merited by cryptomaniac_xxx (1)
 #3

And what it more scary is that the security researchers didn't disclose the supposedly thirteen crypto related apps that has been targeted by this malware or trojan. Although it started to just attack Brazilian apps, it has forked to other banking apps within it's neighbours so it is very dangerous.

"Germany (five apps), Portugal (three apps), Peru (two apps), Paraguay (two apps), Angola and Mozambique (one app per country)."

Also worth to mentioned that the way they distributed this malicious apps is thru emails and not from Google Play Store.

▄▄█████████████████▄▄
▄█████████████████████▄
███▀▀█████▀▀░░▀▀███████

██▄░░▀▀░░▄▄██▄░░█████
█████░░░████████░░█████
████▌░▄░░█████▀░░██████
███▌░▐█▌░░▀▀▀▀░░▄██████
███░░▌██░░▄░░▄█████████
███▌░▀▄▀░░█▄░░█████████
████▄░░░▄███▄░░▀▀█▀▀███
██████████████▄▄░░░▄███
▀█████████████████████▀
▀▀█████████████████▀▀
..Rainbet.com..
CRYPTO CASINO & SPORTSBOOK
|
█▄█▄█▄███████▄█▄█▄█
███████████████████
███████████████████
███████████████████
█████▀█▀▀▄▄▄▀██████
█████▀▄▀████░██████
█████░██░█▀▄███████
████▄▀▀▄▄▀███████
█████████▄▀▄██
█████████████████
███████████████████
██████████████████
███████████████████
 
 $20,000 
WEEKLY RAFFLE
|



█████████
█████████ ██
▄▄█░▄░▄█▄░▄░█▄▄
▀██░▐█████▌░██▀
▄█▄░▀▀▀▀▀░▄█▄
▀▀▀█▄▄░▄▄█▀▀▀
▀█▀░▀█▀
10K
WEEKLY
RACE
100K
MONTHLY
RACE
|

██









█████
███████
███████
█▄
██████
████▄▄
█████████████▄
███████████████▄
░▄████████████████▄
▄██████████████████▄
███████████████▀████
██████████▀██████████
██████████████████
░█████████████████▀
░░▀███████████████▀
████▀▀███
███████▀▀
████████████████████   ██
 
..►PLAY...
 
████████   ██████████████
TravelMug
Hero Member
*****
Offline Offline

Activity: 3066
Merit: 903


WOLFBET.COM - Exclusive VIP Rewards


View Profile
November 11, 2020, 02:02:01 AM
Merited by cryptomaniac_xxx (1)
 #4

And what it more scary is that the security researchers didn't disclose the supposedly thirteen crypto related apps that has been targeted by this malware or trojan. Although it started to just attack Brazilian apps, it has forked to other banking apps within it's neighbours so it is very dangerous.

So the best option for us right now and not to trust anything, specially countries mentioned in the research.

Also worth to mentioned that the way they distributed this malicious apps is thru emails and not from Google Play Store.

Again, this is very old tactic, even prior to the advent of crypto scams, emails is the only attack vector for this cyber criminals. So have a good security practice, educate ourselves, check everything before clicking any links or our inbox. Even if the source of the email is known to us, we still need to be skeptical.

▄███████████████████████▄
██████░▀█████████▀░██████
█████▀░▄██▀███▀██▄░▀█████
█████░▄████████▄██▄░█████
████▀░██▀▀▀███▀▀▀██░▀████
███▀░▀██▄██▄░▄██▄▄░▀░▀███
██▀██▄██▀▀█████▀▀███▄░▀██
████▀████▄▄███▄▄████▀████
███▄██▀█░███████░█▀██▄███
█████▄██▀███████▀██▄█████
███████▄██▀█░█▀██▄███████
█████████▄█████▄█████████
▀███████████████████████▀

.WOLFBET....

CRYPTO CASINO
&
 SPORTSBOOK
▄█████████████████████▄
███████████████████████
██████████▀▀██████████
████████▀░░░░░▀████████
█████▀▀░░░░░░░░░▀▀█████
████░░░░░░░░░░░░░░░████
███░░░░░░░░░░░░░░░░░███
███░░░░░░░░░░░░░░░░░███
████▄░░░░▄▄▄▄░░░░▄████
█████████▀░░░▀█████████
████████▀░░░░░▀████████
███████████████████████
▀█████████████████████▀
████████████▄
█████████████
░░░▀▀████████
░░░░░▄█▀█████
░░░░█▀░░░████
░░░█▀░░░░░███
░░░█░░░░░░███
░░░█▄░░░░░███
░░░░█▄░░░████
░░░░░▀█▄█████
░░░▄▄████████
█████████████
████████████▀
|
|
|
|
|
|
.
░░░░▀▀▀▀▀▀▀▀▀▀▀
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄

EXCLUSIVE VIP
REWARDS

▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄

....PLAY NOW.
cryptomaniac_xxx (OP)
Hero Member
*****
Offline Offline

Activity: 1932
Merit: 642



View Profile
November 11, 2020, 07:16:45 AM
 #5

I’ve searched around for the list of targeted apps, but it is still nowhere to be found.
I also have to dig deeper and found this one, it only mention Bittrex that time, but it has really evolved to target more of crypto exchanges/apps (I will just assumed here).

Quote
Upon in-depth analysis of the library code, we can see a list of targets in some of the samples. Depending on the sample analyzed, cryptocurrency websites, such as Bittrex, or payment solutions, such as Mercado Pago, a very popular retailer in Latin America, are also targeted. To capture login credentials from all the previously listed websites, Javali monitors processes to find open browsers or custom banking applications. The most common web browsers thus monitored are Mozilla Firefox, Google Chrome, Internet Explorer and Microsoft Edge.

Sources:

https://malpedia.caad.fkie.fraunhofer.de/details/win.astaroth
https://securelist.com/the-tetrade-brazilian-banking-malware/97779/

 
 RAZED  
███████▄▄▄████▄▄▄▄
████▄███████████████
██▄██████▀▀████▀▀█████▄
████
██████████████
▄████████▄████████████▄
████████▀███████████▄
██████████████▐█▄█▀████████
▀████████████▌▐█▀██████████
▀███████████▌▀████████████
█████████▄▄▄
█████▄▄██████
████████████████████████
█████▀█████████████████▀
██████████████
▄▄███████▄▄
▄███████████████
▄███████████████████▄
█████████████████████▄
▄███████████████████████▄
████████████████████████
█████████████████████████
██████████████████████
▀█████
█████████████████▀
▀█
████████████████████▀
▀█████
█████████████
▀███████████████▀
█████████
 
RAZED ORIGINALS
SLOTS & LIVE CASINO
SPORTSBOOK
|
 NO 
KYC
 
 RAZE THE LIMITS   PLAY NOW 
boyptc
Hero Member
*****
Offline Offline

Activity: 3430
Merit: 696


View Profile
November 11, 2020, 02:07:28 PM
 #6

Calmly, I see the list and I don't use most of them.

And for the people who like accessing their bank accounts through browsers and official banking apps, they need to be more aware of this. I guess many of the folks here are doing it.

Nothing to worry about if they know how to protect themselves by not clicking unwanted email links and avoiding downloading unwanted apps.

...AoBT...
▄▄█████████████████▄▄
███████████████████████
█████████████████████████
███████████████████████
██████████████████████
█████████████████████
███████████████████████
██████████████████████
█████████████████████
█████████████████████
█████████████████████████
███████████████████████
█████████████████
The Alliance
of Bitcointalk
Translators
▄▄▄███████▄▄▄
▄███████████████▄
▄███
████████████████▄
▄██
███████████████████▄
▄█
██████████████████████▄
████████████████████████
█████████████████████
████████████████████████
▀███████████████████████▀
▀███████████████████
▀███████████████████▀
███████████████▀
▀▀▀███████▀▀▀
.
..JOIN US..

▄███████████████████████▄
█████████████████████████
█████▀▀██████▀▀██▀▀▀▀████
████████▀██████████
████▄▄▄▄▀███████
███████▄▀▄█▀▀███████
█████████████████████████
█████████████████████████
████████████▀████████████
▀███████████████████████▀
█████

██████████
.
..HIRE US..
TravelMug
Hero Member
*****
Offline Offline

Activity: 3066
Merit: 903


WOLFBET.COM - Exclusive VIP Rewards


View Profile
November 12, 2020, 01:31:26 AM
 #7


[..snip..]


Well it mentioned Bittrex, but top ten exchanges like Binance and Coinbase has been in their crosshairs.

And thanks for updating it, at least even though I don't reside on the countries mention, it is still better to be aware that there is a potential for cyber actors that this kind of trojans can developed gradually and could target more banking apps and more crypto exchange apps.

▄███████████████████████▄
██████░▀█████████▀░██████
█████▀░▄██▀███▀██▄░▀█████
█████░▄████████▄██▄░█████
████▀░██▀▀▀███▀▀▀██░▀████
███▀░▀██▄██▄░▄██▄▄░▀░▀███
██▀██▄██▀▀█████▀▀███▄░▀██
████▀████▄▄███▄▄████▀████
███▄██▀█░███████░█▀██▄███
█████▄██▀███████▀██▄█████
███████▄██▀█░█▀██▄███████
█████████▄█████▄█████████
▀███████████████████████▀

.WOLFBET....

CRYPTO CASINO
&
 SPORTSBOOK
▄█████████████████████▄
███████████████████████
██████████▀▀██████████
████████▀░░░░░▀████████
█████▀▀░░░░░░░░░▀▀█████
████░░░░░░░░░░░░░░░████
███░░░░░░░░░░░░░░░░░███
███░░░░░░░░░░░░░░░░░███
████▄░░░░▄▄▄▄░░░░▄████
█████████▀░░░▀█████████
████████▀░░░░░▀████████
███████████████████████
▀█████████████████████▀
████████████▄
█████████████
░░░▀▀████████
░░░░░▄█▀█████
░░░░█▀░░░████
░░░█▀░░░░░███
░░░█░░░░░░███
░░░█▄░░░░░███
░░░░█▄░░░████
░░░░░▀█▄█████
░░░▄▄████████
█████████████
████████████▀
|
|
|
|
|
|
.
░░░░▀▀▀▀▀▀▀▀▀▀▀
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄

EXCLUSIVE VIP
REWARDS

▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄

....PLAY NOW.
libert19
Legendary
*
Offline Offline

Activity: 2926
Merit: 1051


Signatures are not endorsements, DYOR!


View Profile WWW
November 12, 2020, 05:33:39 AM
 #8

And what it more scary is that the security researchers didn't disclose the supposedly thirteen crypto related apps that has been targeted by this malware or trojan. Although it started to just attack Brazilian apps, it has forked to other banking apps within it's neighbours so it is very dangerous.

So the best option for us right now and not to trust anything, specially countries mentioned in the research.


It's good to not trust anything anyway because it usually takes a while for security firms to detect the new viruses/trozens. One simple thing android users can do is to be careful about permissions they give to apps.

████████▄▄▄▄▄▄▀▀▀▀▀▀▄
███▄▀▀▀▀▀███████████
███▐▌████████████▀█▀▐▌
███▐▌███▄█▀█████████████████▄▄▄▄
▄▀█████▐█████████▄▄▄▐█▌▄█▌██▀▀
██████▐███▐██▌▄█▀▀▀▐█████▀███▄
▐█
██▐▌██▐████▌█▌█▌███▐█▌█▄▄▄▄██
▐██
▐▌██▐█▌▐█▀█▌▀█▄▄█▐███▀▀▀▀▀▀
████████▐█▌█▌▀▀▀██▀▀████▄▌████▄
███▄███▌▐████▄██▌█▌██▐████▌█▌▄█▀
██▐█▄▄▄▄██████████▌██▐████▌█▌▐██
███▀███▀▀████▌█████▄▄▐█▄▄█▌██▀▀
████████████▀███▌▀▀▀▀██▀▀

 ......NO FEES ON BITCOIN WITHDRAWALS...... 

▄▄███████▄▄
▄███████████████▄
▄███████████████████▄
▄█████████████████████▄
▄███████████████████████▄
█████████████████████████
████████████████████████
█████████████████████████
▀██████████████████████▀
▀█████████████████████▀
▀███████████████████▀
▀███████████████▀
▀▀███████▀▀

▀███████████▀
[
[
RELOAD
BONUS
 

RAKEBACK
BONUS
]
]
[
[
FREE
COINS
 

VIP
REWARDS
]
]
 
........► Play Now .... 
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!