System security firm Kaspersky found 153 malicious Android applications containing a trojan-type malware called Ghimob. Ghimob was developed by a mysterious group responsible for the spread of Astaroth (Guildma) malware, which had attacked the Windows operating system some time ago.
![[Image: Android_Apps_Affected_by_Spy_Malware_jgpgvk]](https://images.weserv.nl/?url=res.cloudinary.com%2Ffornesiacom%2Fimage%2Fupload%2Fv1%2Ffornesia%2FAndroid_Apps_Affected_by_Spy_Malware_jgpgvk)
In his report, Kaspersny said Ghimob was detrimental to cellphone users because it could spy and steal data from the applications it rode. Kaspersky said that this malware has been inserted in a malicious Android application that can be downloaded via similar sites and servers, as previously used in the Astaroth (Guildma) malware attack.
Therefore, this malware is not spread through the Google Play Store app store. Ghimob creator groups use e-mail addresses or malicious websites to redirect users to websites promoting fake Android apps.
In its mode, hundreds of these malicious applications will appear to resemble official applications such as Google Docs, Google Defender, Flash Update, or WhatsApp Updater. When the malicious application is downloaded and installed on the cellphone, the user will be asked to provide access to the Accessibility service. When the access permission has been granted, Ghimob will look for one of the 153 malicious applications. Furthermore, this malware will attempt to steal user credentials by displaying a fake login page on the application.
The main purpose of this malware is to steal data that contains information about cryptocurrencies. After obtaining user information, the Ghimob creator group will carry out illegal transactions from the user accounts it has hacked.
Ghimob has similarities with BlackRock and Alien malware. Ghimob is considered a malware that is classified as simpler because it only focuses on stealing users' personal information.
Kaspersky also claims that this malware is targeted to attack the banking industry in Brazil. However, due to its wide reach, Ghimob is thought to have participated in attacking banks in Germany, Portugal, Peru, Paraguay, Angola and Mozambique.
In his report, Kaspersny said Ghimob was detrimental to cellphone users because it could spy and steal data from the applications it rode. Kaspersky said that this malware has been inserted in a malicious Android application that can be downloaded via similar sites and servers, as previously used in the Astaroth (Guildma) malware attack.
Therefore, this malware is not spread through the Google Play Store app store. Ghimob creator groups use e-mail addresses or malicious websites to redirect users to websites promoting fake Android apps.
In its mode, hundreds of these malicious applications will appear to resemble official applications such as Google Docs, Google Defender, Flash Update, or WhatsApp Updater. When the malicious application is downloaded and installed on the cellphone, the user will be asked to provide access to the Accessibility service. When the access permission has been granted, Ghimob will look for one of the 153 malicious applications. Furthermore, this malware will attempt to steal user credentials by displaying a fake login page on the application.
The main purpose of this malware is to steal data that contains information about cryptocurrencies. After obtaining user information, the Ghimob creator group will carry out illegal transactions from the user accounts it has hacked.
Ghimob has similarities with BlackRock and Alien malware. Ghimob is considered a malware that is classified as simpler because it only focuses on stealing users' personal information.
Kaspersky also claims that this malware is targeted to attack the banking industry in Brazil. However, due to its wide reach, Ghimob is thought to have participated in attacking banks in Germany, Portugal, Peru, Paraguay, Angola and Mozambique.