A new virus attacks banking and financial applications on Android phones

November 11, 2020
A new virus attacks banking and financial applications on Android phones



After four months of research and investigations, security experts from the Russian company Kaspersky managed to detect four Brazilian malware that target banking and financial applications in Brazil, Latin America and some European countries, using new techniques in stealth.
According to the security team of Kaspersky experts, the Brazilian team named Guildma, the developer of the malicious software Ghimob, this malicious application targets banking applications, financial applications, money and currency exchange applications, exchange applications, cryptocurrency trading applications and bitcoin wallet applications, and they also indicated that this application is particularly active. In Brazil, Paraguay, Peru, Portugal, Germany, Angola and Mozambique.
Once the infection is complete and the malicious application Ghimob reaches the victim's device, hackers can fully access the victim's phone, control it remotely, and conduct fraudulent financial operations such as transferring money to their balances bypassing all the protection systems of financial companies and banks designed for these applications and bypassing behavioral fraud control systems and some additional security steps.
After that, Ghimob continues its work and the phishing process, by publishing itself via the victim's e-mail and spreading itself to the victim's contacts by sending exciting social engineering messages to the victims, such as telling them that they have financial sins that must be repaid, otherwise interest will be added to the written inviting them to download the application and pay the financial sin. At the earliest opportunity and some other social engineering tricks.
And like most malicious programs, once the victim installs the application, the application will hide itself from the application screen installed in the device and then escalate its powers in the system, and then disable the manually delete the application feature to maintain its presence, and then start its work as recording keystrokes and sharing pictures (Screen Shoot) for targeted financial applications.
The new and distinctive thing about the Ghimob application is that it is able to record a video of the lock pattern or password and share it to hackers, and then the Ghimob virus unlocks the screen on its own when it feels that the user is not using the phone (often in the late night while sleeping It is also able to open an Internet connection if the user turns off the WiFi or the network and then runs the financial and banking applications and enters previously saved passwords, and then sends money or cryptocurrencies to the Guildma team.
In order for Ghimob to ensure that it works safely, after he unlocks the screen, he displays a black screen that covers the entire phone so that the phone appears to be closed and the victim does not see anything from opening the bank or financial application and then entering the login information in case the owner of the phone is awake and then Ghimob continues to operate such as opening financial apps, sending money, etc ...
According to Kaspersky's security team, Ghimob can attack nearly 153 applications, 112 of which are for banks, financial institutions and exchange based in Brazil, while the rest of the applications are for German banks and financial companies and other countries in Latin America and some other European countries.
It should be noted that Ghimob is the first Brazilian malware specialized in targeting banking applications with the ability to spread internationally.
Experts also believe that this type of malware will become more prevalent and common in the coming months and years, calling on financial and banking institutions to further develop their applications, implement protection measures and add some strict steps in two-factor authentication during the transfer of financial operations and take some additional steps that may be boring to users. But it would provide an additional layer of protection, and also invite users to be careful not to install applications from outside known stores, and to be extra cautious.

No comments:

'; (function() { var dsq = document.createElement('script'); dsq.type = 'text/javascript'; dsq.async = true; dsq.src = '//' + disqus_shortname + '.disqus.com/embed.js'; (document.getElementsByTagName('head')[0] || document.getElementsByTagName('body')[0]).appendChild(dsq); })();
Powered by Blogger.