Cybersecurity firm Kaspersky has warned users of a new banking malware called Ghimob that can enable cybercriminals to gain access to user devices.

The firm came across the malware while monitoring a Windows campaign related to another banking malware called Guildma.

Kaspersky researchers found URLs distributing the malware pushing a malicious file that can download and install the Ghimob malware on a user device along with a malicious .ZIP file for Windows.

Ghimob is a new banking Trojan.

“Upon infiltrating Accessibility Mode, Ghimob can gain persistence and disable manual uninstallation, capture data, manipulate screen content and provide full remote control to the actors behind it,” explained Kaspersky.

Also readFleeceware apps on Google Play deceive millions of users: Report

How it works?

“According to experts, the developers of this very typical mobile Remote Access Trojan (RAT) are focussed on users in Brazil but have big plans to expand across the globe. The campaign is still active,” it added.

Cybercriminals lure victims into installing the malicious file through an email guise as an alert that the user has some kind of debt. The email contains a link that is meant to provide more information to the user about this debt. When a user clicks on the link, the RAT is installed and the malware sends a message about the successful infection to its server.

This message sent by the malware to the server includes the phone model, whether it has lock screen security and a list of all installed apps that the malware can target.

Overall, the Ghimob malware can spy on 153 mobile apps on a user’s phone, primarily from banks, fintech companies, cryptocurrencies, and exchanges.

“When it comes to functions, Ghimob is a spy in the victim’s pocket. Developers can remotely access the infected device, completing fraud using the owner’s smartphone in order to avoid machine identification and security measures implemented by financial institutions and all of their anti-fraud behavioral systems,” explained Kaspersky.

The malware can record a lock screen pattern and unlock the device. Developers then insert a black or blank screen overlaying the screen or open some website in full screen to perform fraudulent transactions in the background while users look at the screen.

According to Kaspersky the malware has targeted users in Brazil, Ghimob targets are located in Paraguay, Peru, Portugal, Germany, Angola and Mozambique.

“Ghimob is the first Brazilian mobile banking Trojan ready for international expansion. We believe this new campaign could be related to the Guildma threat actor, responsible for a well-known Brazilian banking Trojan, due to several reasons, but mainly because they share the same infrastructure. We recommend that financial institutions watch these threats closely, while improving their authentication processes, boosting anti-fraud technology and threat intelligence data, and trying to understand and mitigate all risks of this new mobile RAT family,” said Fabio Assolini, security expert at Kaspersky.