According to Kaspersky's Global Research and Analysis Team (GReAT), Ghimob is among a "Tetrade" of four banking Trojans that targets financial institutions in Latin America, including Brazil, and Europe, with that the criminals behind the operation haven expanded their tactics to infect new mobile devices with spyware.
Also, the Android banking Trojan targets financial apps from fintech companies, exchanges, banks, and cryptocurrencies in Paraguay, Portugal, Peru, Germany, Angola, and Mozambique.
How Ghimob Banking Trojan targets fintech apps
As Ghimob shares the same infrastructure used by Guildma, its modus operandi of using phishing emails as a mechanism to distribute the malware is also evidence, which lures unsuspecting users into clicking on malicious URLs that then downloads the Ghimob APK installer on their Android devices.
And once the Trojan gets installed on the device, it functions in a similar way to other mobile RATs that masks its presence by hiding from the app drawer and by abusing Android's accessibility features, it gain persistence, disabling manual uninstall and allowing the banking Trojan to manipulate screen content, capture keystrokes, and thereby providing full remote access to the hackers.
Ghimob is fully able to record screen lock pattern and to later replay it to unlock the device. It targets as many as 153 mobile apps, with 112 of them belonging to financial institutions based in Brazil, cryptocurrency and banking apps accounting for the rest.
How to Mitigate against Ghimob Banking Trojan
It is recommended that Android users should always scrutinize the permissions granted to apps installed on their device.
And if perhaps you notice any unusual notifications and screen activites on your Android device, or suspect any malware-infected apps, quickly uninstall the app from your device, and also make sure the operating system and apps are up to date.