Ghimob Android Banking Trojan Targets 153 Mobile Apps

android banking trojan ghimob

A banking trojan is targeting mobile app users in Brazil – and researchers warn that its operator has big plans to expand abroad.

A new banking trojan has been discovered targeting Android users, with the capabilities to spy on 153 mobile apps from various banks, cryptocurrencies and exchanges.

Researchers describe the banking trojan, called Ghimob, as a “full-fledged spy in your pocket” that can be accessed remotely by its operators. Cybercriminals can use the trojan to bypass financial institutions’ security and antifraud measures, in order to make fraudulent transactions on the victim’s smartphones.

Kaspersky telemetry shows that all victims of the Ghimob mobile banking trojan are currently located in Brazil at the moment. However, because some of the targeted apps are based outside of Brazil, they believe Ghimob has big plans to expand abroad – including to Angola, Germany, Mozambique, Paraguay, Peru and Portugal.

Of the 153 apps targeted by Ghimob, 112 are in Brazil.

“Ghimob is the first Brazilian mobile banking trojan ready to expand and target financial institutions and their customers living in other countries,” said researchers with Kaspersky, in a Monday analysis. “Our telemetry findings have confirmed victims in Brazil, but as we saw, the trojan is well prepared to steal credentials from banks, fintechs, exchanges, crypto-exchanges and credit cards from financial institutions operating in many countries, so it will naturally be an international expansion.”

Attack Process

Ghimob victims are first persuaded to install a malicious file via an email written in Brazilian Portuguese. This email purports to be from a creditor and provides a link where the recipient could view more information. The link leads to an app, which pretends to be various legitimate tools, such as Google Defender, Google Docs or WhatsApp Updater.

As soon as the trojan is installed and launched, it first attempts to sniff out any possible emulators or debuggers. If any are present, the malware terminates itself.

“Newer versions of the malware have moved the emulator names to an encrypted configuration file,” said researchers. “If those previous checks are passed, the user is then presented with the default Android accessibility window, as the malware heavily relies on accessibility to work.”

The malware then sends a message back to the command-and-control (C2) server containing the victims’ phone data, including the model, whether it has a screen lock activated and a list of all targeted apps that are installed on the phone (including their version numbers).


Ghimob has screen-recording capabilities allowing it to record when a user inputs their screen lock pattern, and later replay it to unlock the device.  It also can block the user from uninstalling it, restarting or shutting down the device.

It also relies on a common overlay screen tactic used by Android mobile banking trojans to avoid detection, where the cybercriminal can insert a black screen as an overlay or open a website in a full screen. While the user looks at that overlay screen, in the background the attack performs the transaction by using a financial app running on the victim’s smartphone.

Once downloaded, the app then can target various apps on the victims’ smartphone to carry out fraudulent transactions.

Finally, “from a technical standpoint, Ghimob is also interesting in that it uses C2s with fallback protected by Cloudflare, hides its real C2 with DGA and employs several other tricks, posing as a strong competitor in this field,” noted researchers. “Compared to BRATA or Basbanke, another mobile banking trojan family originating in Brazil, Ghimob is far more advanced and richer in features, and has strong persistence.”

Ties to Guildma

Researchers tied the campaign back to the Guildma threat actor, a well-known Brazilian banking trojan, mainly due to the two sharing the same infrastructure.

“It is also important to note that the protocol used in the mobile version is very similar to that used for the Windows version,” said researchers.

Guildma is a threat actor that’s part of the Tetrade family of banking trojans – Kaspersky’s designation for four large banking trojan families created, developed and spread by Brazilian crooks. Ghimob shows that Guildma has been working on bringing in new techniques, creating new malware and targeting new victims, researchers said.

Moving forward, researchers recommend that financial institutions watch these threats closely. They also suggest taking measures such as “improving their authentication processes, boosting anti-fraud technology and threat intel data, and trying to understand and mitigate all of the risks that this new mobile RAT family poses.”

Hackers Put Bullseye on Healthcare: On Nov. 18 at 2 p.m. EDT find out why hospitals are getting hammered by ransomware attacks in 2020. Save your spot for this FREE webinar on healthcare cybersecurity priorities and hear from leading security voices on how data security, ransomware and patching need to be a priority for every sector, and why. Join us Wed., Nov. 18, 2-3 p.m. EDT for this LIVE, limited-engagement webinar.

Suggested articles