Named Ghimob, the trojan is believed to have been developed by the same group behind the Astaroth (Guildma) Windows malware, according to a report published on Monday by Kaspersky. Kaspersky says the new Android trojan has been offered for download packed inside malicious Android apps on sites and servers previously used by the Astaroth operation. Distribution was never carried out via the official Play Store. Instead, the Ghimob group used emails or malicious sites to redirect users to websites promoting Android apps.
These apps mimicked official apps and brands, with names such as Google Defender, Google Docs, WhatsApp Updater, or Flash Update. If users were careless enough to install the apps despite all the warnings shown on their devices, the malicious apps would request access to the Accessibility service as a final step in the infection process.
If this was granted, the apps would search the infected phone for a list of 153 apps for which it would show fake login pages in an attempt to steal the user's credentials. Most of the targeted apps were for Brazilian banks, but in recently updated versions, Kaspersky said Ghimob also expanded its capabilities to start targeting banks in Germany (five apps), Portugal (three apps), Peru (two apps), Paraguay (two apps), Angola and Mozambique (one app per country).
Furthermore, Ghimob also added an update to target cryptocurrency exchange apps in attempts to gain access to cryptocurrency accounts, with Ghimob following a general trend in the Android malware scene that has slowly shifted to target cryptocurrency owners. After any phishing attempt was successful, all collected credentials were sent back to the Ghimob gang, which would then access a victim's account and initiate illegal transactions.
If accounts were protected by hardened security measures, the Ghimob gang used its full control over the device (via the Accessibility service) to respond to any security probes and prompts shown on the attacked smartphone.
Ghimob's features aren't unique, but actually copy the make-up of other Android banking trojans, such as Blackrock or Alien.
Kaspersky noted that Ghimob's development currently echoes a global trend in the Brazilian malware market, with the very active local threat actors slowly expanding to target victims in countries abroad.
Red Sky Alliance has been has analyzing and documenting cyber threats for 9 years and maintains a resource library of malware and cyber actor reports.
The installation, updating and monitoring of firewalls, cyber security and proper employee training are keys to blocking attacks. Please feel free to contact our analyst team for research assistance and Cyber Threat Analysis on your organization.
What can you do to better protect your organization today?
- All data in transmission and at rest should be encrypted.
- Proper data back-up and off-site storage policies should be adopted and followed.
- Implement 2-Factor authentication company wide. (Read Multifactor Authentication or MFA)
- Join and become active in your local Infragard chapter, there is no charge for membership. infragard.org
- Update disaster recovery plans and emergency procedures with cyber threat recovery procedures. And test them.
- Institute cyber threat and phishing training for all employees, with testing and updating.
- Recommend/require cyber security software, services and devices to be used by all at home working employees and consultants.
- Review and update your cyber threat and information security policies and procedures. Make them a part of all emergency planning and training.
- Ensure that all software updates and patches are installed immediately.
- Enroll your company/organization in RedXray for daily cyber threat notifications are directed at your domains. RedXray service is $500 a month and provides threat intelligence on nine (9) cyber threat categories including Keyloggers, with having to connect to your network.
- Purchase annual cyber insurance coverage from Red Sky Alliance provided by Cysurance.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or firstname.lastname@example.org.
Weekly Cyber Intelligence Briefings: