New Malware Ghimob Spies on Android Financial Apps


Cyber security experts have recently identified the existence of a new Android malware called Ghimob that spies and steals data from more than 100 apps, said ZDNet. Particularly, the malware targets financial applications.

Originating from Brazil, Ghimob is a trojan that injects itself into unsuspecting victims’ devices. It can attack a device once it is downloaded and installed through malicious apps. These applications can be downloaded on websites and servers operated by the attackers.


ZDNet noted that malicious software can only be downloaded through these sources and not from Google’s official Play Store.

Malware Ghimob Spies on Android Financial Apps

Kaspersky, which reported the discovery of this malware, said, “Ghimob is the first Brazilian mobile banking trojan ready to expand and target financial institutions and their customers living in other countries.”


“Our telemetry findings have confirmed victims in Brazil, but as we saw, the trojan is well prepared to steal credentials from banks, fintechs, exchanges, crypt-exchanges, and credit cards from financial institutions operating in many countries,” the report continues.

This new Android malware is believed to be developed by the same group that created the Astaroth (Guildma) malware for Windows. Currently, it is known to infiltrate 153 applications.

To trap victims, the group used emails and malicious websites to redirect users to compromised sources. Usually, the sites imitate known websites.

Gadgets 360 added that the emails pretend to be creditors. The content includes links where “the recipient could view more information.” This will download app packages or apk files pretending to be popular apps such as Google Docs, WhatsApp Updater, and Google Defender.

Users who install application packages downloaded from such sites, the app would ask for various permissions. Ultimately, gaining Accessibility service access will help the app fully infect the device.

The malware searches the device for apps included in its list of 153 target applications, including banking apps from Brazil, Germany, Portugal, Peru, Paraguay, Angola, and Mozambique. Cryptocurrency exchange apps also became targets as part of its update.

The group also uses phishing scams to gain access to various accounts, especially finance-related ones. It then proceeds to make illegal transactions, according to ZDNet.

After granting permission to the culprit application, full security measures will not be able to prevent the illicit activities of the malware as it already gained Accessibility service permission.

While Ghimob emerged and was discovered recently, ZDNet noted that there have been Android banking malware in the past such as BlackRock and Alien.