Brazil is known for its pristine beaches, nightlife, hot dancing, and of course - The Girl from Ipanema. A recently uncovered Brazilian banking Trojan targeting Android devices can spy on over 150 apps, including those of banks, cryptocurrency exchanges, and fintech firms, as a way to gather credentials and other data, according to an analysis by security firm Kaspersky. A Trojan is sometimes called a Trojan virus or a Trojan horse virus, but that is a contradiction. Viruses can execute and replicate themselves. A Trojan cannot. A user must execute Trojans. Even so, Trojan malware and Trojan virus are often used interchangeably. This malware, called Ghimob, which was developed by fraudsters in Brazil and is currently in use there, has also targeted apps associated with banks and their customers in Germany, Portugal, Peru, Paraguay, Angola, and Mozambique. I wonder if they live in Ipanema, Brazil.
The Trojan appears to be linked to several other malware variants developed by the same Brazilian cybercriminal group. These banking Trojans are collectively known as Tétrade, an umbrella term for four distinct malware strains: Guildma, Javali, Melcoz, and Grandoreiro. Security research indicates that Ghimob has been developed by the same cybercriminals who coded the Astaroth Windows malware. It is interesting to note that the official Google Play Store has not yet been abused as a distribution channel. For this purpose, the hackers used malicious Android apps on sites and servers previously deployed by Astaroth.
Astaroth is a well-known player in the field of banking Trojans. One of its latest updates was observed in May 2020. Cisco Talos researchers detected that Astaroth was upgraded with advanced obfuscation and anti-analysis techniques. The May 2020 campaigns also displayed an innovative employ of YouTube channel descriptions used for encoded command-and-control communications.
Since 2011, the operators behind the Tétrade family of Trojans have mainly targeted financial institutions in Brazil. In recent months, the cybercriminals have started expanding globally, reengineering the malware to better evade security tools. "Brazilian cybercriminals are very active and are creating new banking Trojans for desktop and mobile platforms," says a security expert at Kaspersky. "Right now, they are in a move to expand their attacks abroad, and Ghimob is one important step in this movement."
Kaspersky researchers first came across the Ghimob Trojan in August 2020 while examining a Windows campaign related to another malware strain circulating in Brazil. "We believe this campaign could be related to the Guildma, a Brazilian banking Trojan threat actor for several reasons, mainly because they share the same infrastructure," according to the report. "It is also important to note that the protocol used in the mobile version is very similar to that used for the Windows version."
Unlike other types of Android-focused malware, the Ghimob Trojan does not disguise itself as a legitimate app that is hidden within the official Google Play Store. Instead, the criminals attempt to lure victims into installing a malicious file through a phishing or spam email that suggests that the recipient has debt. The message includes an "informational" link for the victim to click on, which starts the malware delivery. The malicious link is usually disguised to appear as either a Google Defender, a Google Doc, or a WhatsApp Updater. If opened, it installs the Ghimob Trojan within the device. The malware's first step is to check for any emulators or debuggers which, if found, are terminated.
If there are no security tools present in the compromised Android device, Ghimob connects to a command-and-control server and starts sending back details such as the phone model, whether the device has lock screen security, and a list of all installed apps that the malware can target. Then the Trojan, which is known for its ability to harvest credentials and a wide range of other data, can target up to 150 banking and financial apps, most of which are used in Brazil. The list of targeted apps is likely to expand as the criminals become greedy. "Even if the user uses a lock screen pattern, Ghimob is able to record it and replay it to unlock the device," according to Kaspersky. "When the actors are ready to perform a fraudulent transaction, they can insert a blank or black screen overlay or open some websites in full screen. While the user looks at that screen, the attackers perform the fraudulent transaction in the background, using the already opened or logged-in financial app running on the device."
Ghimob can block a user from attempting to uninstall the Trojan. The malware can also shut down and restart a device. The malware uses domain generation algorithms as a way to disguise its command-and-control IP address to help evade security tools, according to the report.
Since smartphones are becoming more and more a means to computing, attacks on phone apps will continue. The installation, updating and monitoring of firewalls, cybersecurity, and proper employee training are keys to blocking attacks. Yet employing underground search to proactively stop attacks, is additionally important and a great support feature. Please feel free to contact our analyst team for research assistance and proactive Cyber Threat Analysis on your organization.
Red Sky Alliance has been as analyzing and documenting cyber threats and vulnerabilities for over 9 years and maintains a resource library of malware and cyber actor reports.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please contact the lab directly at 1-844-492-7225, or firstname.lastname@example.org
Weekly Cyber Intelligence Briefings: