Brazilian malware Ghimob targets 153 financial apps
Ghimob, a new strain of banking malware, is targeting banks, fintechs, and cryptocurrency exchanges in South America, Africa and Europe.
Researchers at Kaspesky Lab’s global research and analysis team (Great) found the malware originating in Brazil. From there it has spread across borders to attack victims around the world.
Ghimob is part of the Tétrade family of banking trojans. Hackers can access infected phones remotely from a command and control server.
If the user has a screen lock pattern in place, Ghimob is able to record it and later replay it to unlock the device.
Ghimob covers its tracks by displaying an overlay on the victim’s phone while the hacker siphons funds from their financial accounts.
Criminals lure potential targets with a phishing email disguised as coming from Google Defender, Google Docs, or WhatsApp.
According to Great, the malware can infect as many as 153 different mobile apps. The majority of these are provided by “banks, fintechs, cryptocurrencies, and exchanges”.
Great researchers write that “it took some time for Brazilian crooks to decide to try their hand at creating a mobile banking trojan with a worldwide reach.
“First, we saw Basbanke, then BRATA, but both were heavily focused on the Brazilian market.
“Ghimob is the first Brazilian mobile banking trojan ready to expand and target financial institutions and their customers living in other countries.”
Brazil is a hotbed of malware and virus activity. A Trend Micro study from June 2019 ranked the country as the most threatened by ransomware in the world.
Brazilians account for 11% of all ransomware attacks globally. The country saw more than two billion malicious emails sent to potential victims in 2019.
Related: BlackRock banking malware capable of targeting 337 apps