A new remote access trojan has been discovered that is designed to target financial Android apps fr om banks, fintechs, exchanges and cryptocurrencies in Brazil, Paraguay, Peru, Portugal, Germany, Angola and Mozambique. The new banking malware dubbed Ghimob is believed to has been developed by a Brazil-based threat group Guildma, a threat actor part of the infamous Tйtrade families of banking trojans, known for its scalable malicious activities both in Latin America and other parts of the world.

Ghimob is what security researchers at Kaspersky call “a full fledged spy in tour pocket” - once a device is infected, the trojan’s operators can access it remotely, completing the fraudulent transaction with the victim’s smartphone.

“Even if the user has a screen lock pattern in place, Ghimob is able to record it and later replay it to unlock the device. When the cybercriminal is ready to perform the transaction, they can insert a black screen as an overlay or open some website in full screen, so while the user looks at that screen, the criminal performs the transaction in the background by using the financial app running on the victim’s smartphone that the user has opened or logged in to,” the researchers noted.

Kaspersky discovered the Ghimob trojan while investigating a Windows campaign from Guildma banking malware. The gang behind Ghimob does not use Google Play as a means to distribute the trojan but rather spreads it via malicious domains registered by Guildma operators.

The malware is distributed via email that pretends to be from a creditor and provides a link wh ere the recipient could view more information. The app itself is disguised as popular tools like Google Defender, Google Docs, WhatsApp Updater, etc. If the recipient falls for the scam and clicks on the link in an Android-based browser, the Ghimob APK installer gets downloaded on their smartphones.

“Once installed on the phone, the app will abuse Accessibility Mode to gain persistence, disable manual uninstallation and allow the banking trojan to capture data, manipulate screen content and provide full remote control to the fraudster: a very typical mobile RAT,” the researchers said.

According to Kaspersky, Ghimob is able to spy on 153 mobile apps, mainly from banks, fintechs, cryptocurrencies and exchanges. Previously most of the targeted apps were for Brazilian banks, but in recently updated versions, Kaspersky said Ghimob also expanded its capabilities to start targeting banks in Germany (five apps), Portugal (three apps), Peru (two apps), Paraguay (two apps), Angola and Mozambique (one app per country).

“In fact, Ghimob is the first Brazilian mobile banking trojan ready to expand and target financial institutions and their customers living in other countries. Our telemetry findings have confirmed victims in Brazil, but as we saw, the trojan is well prepared to steal credentials from banks, fintechs, exchanges, crypto-exchanges and credit cards from financial institutions operating in many countries, so it will naturally be an international expansion,” the report stated.