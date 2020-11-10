Researchers at cybersecurity firm Kaspersky have discovered a new banking trojan, Ghimob, that belongs to the Tetrade family and is targeting financial apps from banks, fintech, exchanges and cryptocurrencies in mobile devices in Brazil, Paraguay, Peru, Portugal, Germany, Angola and Mozambique.

According to Kaspersky's Global Research and Analysis Team (GReAT), Ghimob is a Brazilian mobile banking trojan with a worldwide reach. It is far more advanced and richer in features and has strong persistence as compared to BRATA or Basbanke, the other mobile banking trojan family originating in Brazil.

"Ghimob is the first Brazilian mobile banking trojan ready to expand and target financial institutions and their customers living in other countries. Our telemetry findings have confirmed victims in Brazil, but as we saw, the trojan is well prepared to steal credentials from banks, fintechs, exchanges, crypto-exchanges and credit cards from financial institutions operating in many countries, so it will naturally be an international expansion," the cybersecurity firm said in a post.

How does Ghimob trojan work?

To lure the victim, cybercriminals send a malicious file in an email pretending to be from a creditor and provides a link where the recipient could view more information about it, while the app itself pretends to be Google Defender, Google Docs, WhatsApp Updater, etc. When a user clicks on the malicious URL, the Ghimob APKs posing as installers of popular apps are downloaded.

Once the infection is completed, the malware sends an infection notification message to its notification server. This includes the phone model, whether it has a screen lock activated and a list of all installed apps that the malware has as a target including version numbers. Thereafter, the hacker can access the infected device remotely, completing the fraudulent transaction with the victim's smartphone. While performing the transaction, cybercriminals can insert a black screen or open some websites in full screen as an overlay so that it can be completed in the background while the user looks at the screen.

Notably, the Ghimob malware spies on 153 mobile apps with 112 of them belonging to financial institutions in Brazil. It also blocks the user from uninstalling it, restarting or shutting down the device.

Kaspersky recommends financial institutions to watch and understand these threats closely. They are advised to improve their authentication processes, boost anti-fraud technology and threat intel data to mitigate all of the risks posed by the new mobile RAT family.