Security experts have discovered a new malware that can spy and obtain data from 153 Android applications.
According to the report released on Monday by security firm Kaspersky, Ghimob (an Android banking Trojan) is believed to have been developed by the same group that developed Guildma (Astaroth) Windows malware.
The security firm says that Ghimob has been offered for download contained in malicious Android applications on servers and sites previously used by the Guildman operation.
The distribution didn’t take place through the official Play Store. Instead, the group relied on malicious sites and emails to redirect users to sites promoting Android applications.
The Android apps where the users were redirected mimicked official Android applications, some with names such as Flash Update, Google Defender, WhatsApp Updater, or Google Docs. If the users went ahead carelessly and clicked the install button despite all the warnings displayed on their devices, the malicious applications would request access to the Accessibility service. This would be the final step.
If accessibility permission were granted, the apps would look for a list of 15 apps on your device and display fake log-in pages in an attempt to obtain user’s data.
The countries targeted by the malware
Initially, Brazilian bank apps were targeted. However, in the recently updated versions, the group has expanded its capabilities to target Germany bank apps (5 apps), Paraguay (2 apps), Portugal (3 apps), Peru (2 apps), Mozambique, and Angola (1 app each country).
Besides bank apps, Ghimob added an update targeting cryptocurrency exchange applications. If the phishing attempts were executed successfully, the collected data were sent to the Ghimob gang, which they would use to control the account of the victim and initiate transactions illegally.
This malware isn’t unique but uses the same techniques used by Android banking Trojans such as Alien and BlackRock.