The new virus is able to spy on the user, steal bank credentials and clean out the bank account and manages to hide perfectly.
A new very dangerous malware has been circulating for a few weeks now: it is called Ghimob, it is a banking trojan and can empty the bank account of the unfortunate owner of a smartphone that has been infected. Kaspersky researchers have found Ghimob in 153 dangerous Android apps that, like the recent Cobalt Strike virus found in fake Microsoft Teams updates, are not distributed through the usual official stores.
This new virus is a close relative of Alien, another name that is well known among computer security researchers because of the damage it can do. Like Alien, Ghimob also turns the infected smartphone into a real tool of continuous spying, thanks to which hackers can also get hold of login data to apps and bank sites. With the obvious consequence that current accounts are seriously at risk. Ghimob is, by the way, so sophisticated that it can unlock the screen of your cell phone by itself, which means that it can operate even when we least expect it, without us noticing anything.
How Ghimob works and why it is dangerous
Ghimob is a complete, efficient and effective spying tool: once the infection is complete, the hacker who controls it can remotely access the infected device, easily carrying out fraudulent banking transactions with the victim’s smartphone. It does this by perfectly mimicking what a bank user would do by actually accessing their account.
This way Ghimob bypasses the security measures put in place by financial institutions, which are now able to intercept suspicious movements that follow standard patterns. Even if the user has set a screen lock sequence, Ghimob is able to record it and then play it back to unlock the device.
When the cybercriminal is ready to execute the transaction, he can display a black screen that completely covers the screen, so even if the user is using their phone at the time, they won’t see that Ghimob is accessing their bank account to empty it via the bank’s website or app.
Un trucchetto diabolico, che rende questo trojan bancario estremamente pericoloso, che viene messo in atto anche quando il malware scopre che l’utente ha un portafoglio di criptovalute come i bitcoin o gli ethereum.
Quali app infette da Ghimob vanno cancellate subito
Kaspersky ha trovato 153 app infette che contengono Ghimob. Nessuna di esse è stata pubblicata sul Play Store ufficiale di Google, ma quasi tutte imitano nel nome e nelle funzionalità app ufficiali e famose.
Si tratta di app con nomi come “Google Defender“, “Google Docs“, “WhatsApp Updater” e simili, che vengono veicolate tramite appositi siti Web. Durante l’installazione chiedono all’utente moltissimi permessi di accesso all’hardware per funzionare e, se l’utente glieli concede, firma la sua condanna.
Come difendersi da Ghimob
L’infezione da Ghimob parte non appena l’utente scarica una delle 153 app usate per veicolarlo. Usually the user is asked to download one of these apps via a phishing email or a link posted on forums and social networks.
The only way to defend yourself against Ghimob, therefore, is not to fall into the trap and not to download any apps from unofficial websites or stores. As we know by now, unfortunately, not even Google manages to block 100% of the infected apps on its Play Store (and, to be honest, lately you can find dangerous apps on Apple’s App Store as well) but, at least, Big G’s app store is regularly checked and “cleaned” of dangerous apps. Which, instead, doesn’t happen on other platforms.