Crooks behind Ghimob banking trojan have ambitions far beyond Brazil, researchers say

It's a “full-fledged spy in your pocket.”
Banking trojans are an export of the Brazilian cybercriminal market (Flickr/Benjamin Thompson)

Cybercriminals have used a new malicious software kit to target banking customers in Brazil, but harbor ambitions far beyond the Latin American country, security researchers said Monday.

The data that anti-virus company Kaspersky released shows how an enterprising group of crooks has used Brazil to fine-tune their banking trojan, as the financially-focused malware is called. After successfully infecting numerous victims in Brazil, the campaign has expanded to target users in other Portuguese-speaking countries, from Angola to Mozambique to Portugal.

Ghimob, as the newly discovered trojan is known, has a series of features that could make it more effective than previous attempts by Brazilian malware developers to target users abroad, according to the researchers.

It is a “full-fledged spy in your pocket” that siphons off data through a number of means, Kaspersky researcher Fabio Assolini and his colleagues wrote in a blog post. It’s a fraudulent app, hosted outside of the Google Play Store, that once installed allows the attacker to swipe login credentials for a user’s bank. As part of the ruse, the attackers send emails posing as creditors telling recipients to follow a malicious link to learn more. From there, the app is downloaded and the theft begins.


The crooks have targeted not only banking customers, but also cryptocurrency exchanges and fin-tech companies, the researchers said.

“Latin American cybercriminals’ desire for a mobile-banking trojan with a worldwide reach has a long history,” Assolini said. For example, crooks previously used a different hacking tool that emerged from the Brazilian cybercriminal scene to target customers at several banks in Spain.

Whoever is behind Ghimob could be affiliated with another notorious banking trojan known as Guildma, the researchers said. Guildma has been used in prolific spamming operations, accounting for 10 times as many victims as other Latin American trojans, security experts at anti-virus company ESET said in March.

Cybercrime has long dogged the financial sector in Brazil, South America’s largest economy. A surge in coronavirus cases in Brazil was accompanied by hundreds of malicious COVID-19-related websites looking to rip people off.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts