Guildma, a threat actor associated with the Tetrade malware family, has created a new banking Trojan called Ghimob, which targets Android smartphones by tricking users into installing an app outside of the Google Play store. The trojan has been infecting mobile devices and targeting financial apps from exchanges, banks, and cryptocurrency companies based in Brazil, Peru, Portugal, Paraguay, Mozambique, Angola, and Germany. Once a mobile device is infected, hackers can access the device remotely. Hackers can use overlay screens while they access financial apps, so victims are unwitting to what is taking place. Ghimob is even able to record screen lock patterns and replay them later to access mobile devices. Upon infection the app will terminate itself if it recognizes debugging software. If the victim attempts to uninstall the malware, Ghimob will restart or shutdown the device.
Ghimob will likely expand to several countries. It is the first Brazilian banking trojan to target bank accounts outside of Brazil. The trojan is well prepared to steal credentials from banks, fintech companies, exchanges, crypto-exchanges, and credit cards from financial institutions operating in many countries, so it will naturally be an international expansion. Banks should warn their customers not to install Android apps from any source other than official app stores, and to be cautious of new apps or apps without many reviews since malware occasionally makes it onto even the official Google Play store for a short time before it is discovered and removed.