{
	"id": "dd2960e1-29ed-4bd7-ae47-bef6a44710de",
	"created_at": "2026-04-06T00:08:29.317115Z",
	"updated_at": "2026-04-10T13:13:06.306229Z",
	"deleted_at": null,
	"sha1_hash": "1520aab3757f436e641138d7c3d35ea6e328a12b",
	"title": "Ghimob: a Tétrade threat actor moves to infect mobile devices",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 259570,
	"plain_text": "Ghimob: a Tétrade threat actor moves to infect mobile devices\r\nBy GReAT\r\nPublished: 2020-11-09 · Archived: 2026-04-05 21:54:29 UTC\r\nGuildma, a threat actor that is part of the Tétrade family of banking trojans, has been working on bringing in new\r\ntechniques, creating new malware and targeting new victims. Recently, their new creation, the Ghimob banking\r\ntrojan, has been a move toward infecting mobile devices, targeting financial apps from banks, fintechs, exchanges\r\nand cryptocurrencies in Brazil, Paraguay, Peru, Portugal, Germany, Angola and Mozambique.\r\nGhimob is a full-fledged spy in your pocket: once infection is completed, the hacker can access the infected\r\ndevice remotely, completing the fraudulent transaction with the victim’s smartphone, so as to avoid machine\r\nidentification, security measures implemented by financial institutions and all their antifraud behavioral systems.\r\nEven if the user has a screen lock pattern in place, Ghimob is able to record it and later replay it to unlock the\r\ndevice. When the cybercriminal is ready to perform the transaction, they can insert a black screen as an overlay or\r\nopen some website in full screen, so while the user looks at that screen, the criminal performs the transaction in\r\nthe background by using the financial app running on the victim’s smartphone that the user has opened or logged\r\nin to.\r\nFrom a technical standpoint, Ghimob is also interesting in that it uses C2s with fallback protected by Cloudflare,\r\nhides its real C2 with DGA and employs several other tricks, posing as a strong competitor in this field. But yet,\r\nno sign of MaaS (malware-as-a-service). Compared to BRATA or Basbanke, another mobile banking trojan family\r\noriginating in Brazil, Ghimob is far more advanced and richer in features, and has strong persistence.\r\nMultiplatform financial attack\r\nWhile monitoring a Guildma Windows malware campaign, we were able to find malicious URLs used for\r\ndistributing both ZIP files for Windows boxes and APK files, all from the same URL. If the user-agent that clicked\r\nthe malicious link is an Android-based browser, the file downloaded will be the Ghimob APK installer.\r\nThe APKs thus distributed are posing as installers of popular apps; they are not on Google Play but rather hosted\r\nin several malicious domains registered by Guildma operators. Once installed on the phone, the app will abuse\r\nAccessibility Mode to gain persistence, disable manual uninstallation and allow the banking trojan to capture data,\r\nmanipulate screen content and provide full remote control to the fraudster: a very typical mobile RAT.\r\nSame link, different files: ZIP for Windows, APK for Android\r\nhttps://securelist.com/ghimob-tetrade-threat-mobile-devices/99228/\r\nPage 1 of 6\n\nOur telemetry shows that all victims of the Ghimob mobile banking trojan are located in Brazil at the moment, but\r\nlike all other Tétrade threat actors, Ghimob has big plans to expand abroad.\r\nGhimob detections: Brazil for now, but ready to expand abroad\r\nTo lure the victim into installing the malicious file, the email is written as if from a creditor and provides a link\r\nwhere the recipient could view more information, while the app itself pretends to be Google Defender, Google\r\nDocs, WhatsApp Updater, etc.\r\nA malicious message distributing the malware, written in Brazilian Portuguese\r\nA persistent RAT in your pocket\r\nAs soon as the malware is launched, it tries to detect common emulators, checks for the presence of a debugger\r\nattached to the process and the manifest file, and also checks for a debuggable flag. If any of these are present,\r\nhttps://securelist.com/ghimob-tetrade-threat-mobile-devices/99228/\r\nPage 2 of 6\n\nthen the malware simply terminates itself. Newer versions of the malware have moved the emulator names to an\r\nencrypted configuration file. If those previous checks are passed, the user is then presented with the default\r\nAndroid accessibility window, as the malware heavily relies on accessibility to work.\r\n“Google Docs” is asking you to provide Accessibility permissions\r\nOnce infection is completed, the malware proceeds to send an infection notification message to its notification\r\nserver. This includes the phone model, whether it has a screen lock activated and a list of all installed apps that the\r\nmalware has as a target including version numbers. Ghimob spies on 153 mobile apps, mainly from banks,\r\nfintechs, cryptocurrencies and exchanges. By analyzing the malware, it is possible to see all the apps monitored\r\nand targeted by the RAT. These are mainly institutions in Brazil (where it watches 112 apps), but since Ghimob,\r\nlike other Tétrade threat actors, has been moving toward expanding its operations, it also watches the system for\r\ncryptocurrency apps from different countries (thirteen apps) and international payment systems (nine apps). Also\r\ntargeted are banks in Germany (five apps), Portugal (three apps), Perú (two apps), Paraguay (two apps), Angola\r\nand Mozambique (one app per country).\r\nThe malware also blocks the user from uninstalling it, restarting or shutting down the device. This is what happens\r\nwhen the user tries to remove Ghimob manually: video\r\nFallback C2s for complete remote control\r\nOnce installation is completed, Ghimob tries to hide its presence by hiding the icon from the app drawer. The\r\nmalware will decrypt a list of hardcoded C2 providers from its configuration file and contact each in order to\r\nreceive the real C2 address, a technique we call “fallback channels“.\r\nThe C2 providers found are the same across all samples we analyzed, but the directory parameters of the request\r\nto obtain the real C2 vary among different samples, returning a different set of real C2 addresses. All of the\r\ncommunication is done via the HTTP/HTTPS protocol.\r\nhttps://securelist.com/ghimob-tetrade-threat-mobile-devices/99228/\r\nPage 3 of 6\n\nControl Panel used by Ghimob for listing infected victims\r\nInstead of recording the user screen via the MediaProjection API, like BRATA does, Ghimob sends accessibility-related information from the current active window, as can be seen below from the output of the “301” command\r\nreturned from the C2. All the commands used by the RAT are described in our private report for customers of our\r\nFinancial Threat Intel Portal.\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\nClient:[TARGETED APP]\r\nID: xDROID_smg930a7.1.125_7206eee5b3775586310270_3.1\r\nData:Sep 24\r\n2020 3:23:28 PM\r\nRef:unknown SAMSUNG-SM-G930A 7.1.1 25\r\nKeySec:trueKeyLock:falseDevSec:trueDevLock:false\r\ncom.sysdroidxx.addons - v:3.1\r\nAtivar Google Docs\r\n=======================================\r\nLink Conexao:hxxp://www.realcc.com\r\nSenha de 8 digitos:12345678\r\nSenha de 6 digitos:123456\r\n=======================================\r\n============== LOG GERAL ==============\r\n=======================================\r\n22{\u003c x \u003e}[com.android.launcher3]--[TEXTO:null]--[ID:com.android.launcher3:id/apps_list_view]--\r\n[DESCRICAO:null]--[CLASSE:android.support.v7.widget.RecyclerView]\r\nhttps://securelist.com/ghimob-tetrade-threat-mobile-devices/99228/\r\nPage 4 of 6\n\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\n26\r\n27\r\n28\r\n29\r\n30\r\n31\r\n32\r\n33\r\n34\r\n35\r\n36\r\n37\r\n38\r\n39\r\n40\r\n22{\u003c x \u003e}[com.android.launcher3]--[TEXTO:null]--[ID:com.android.launcher3:id/apps_list_view]--\r\n[DESCRICAO:null]--[CLASSE:android.support.v7.widget.RecyclerView]\r\n22{\u003c x \u003e}[com.android.launcher3]--[TEXTO:null]--[ID:com.android.launcher3:id/apps_list_view]--\r\n[DESCRICAO:null]--[CLASSE:android.support.v7.widget.RecyclerView]\r\n16{\u003c x \u003e}[targeted app]--[TEXTO:]--[ID:null]--[DESCRICAO:Senha de 8 digitos]--\r\n[CLASSE:android.widget.EditText]\r\n0{\u003c \u003e}[targeted app]--[TEXTO:null]--[ID:null]--[DESCRICAO:null]--\r\n[CLASSE:android.widget.FrameLayout]\r\n1{\u003c \u003e}[targeted app]--[TEXTO:null]--[ID:null]--[DESCRICAO:null]--\r\n[CLASSE:android.widget.LinearLayout]\r\n2{\u003c \u003e}[targeted app]--[TEXTO:null]--[ID:android:id/content]--[DESCRICAO:null]--\r\n[CLASSE:android.widget.FrameLayout]\r\n3{\u003c \u003e}[targeted app]--[TEXTO:null]--[ID:null]--[DESCRICAO:null]--\r\n[CLASSE:android.widget.FrameLayout]\r\n=======================================\r\n================ SALDOS ===============\r\n=======================================\r\n[DESCRICAO: Rolando Lero Agencia: 111. Digito 6. Conta-corrente: 22222. Digito .7]--\r\n[TEXTO:Account Rolando Lero]\r\n[DESCRICAO:Agencia: 111. Digito 6. Conta-corrente: 22222. Digito .7]--[TEXTO:111-6 22222-7]\r\n[DESCRICAO:Saldo disponivel\r\nR$ 7000,00]--\r\n[DESCRICAO:7000,00]--[TEXTO:R$ 7000,00]\r\n[TEXTO:Saldo disponivel]\r\n[DESCRICAO:Agendado ate 04/Out\r\nR$ 6000,00 ]--\r\n[DESCRICAO:6000,00 ]--[TEXTO:R$ 6000,00 ]\r\n[TEXTO:Agendado ate 04/Out]\r\nhttps://securelist.com/ghimob-tetrade-threat-mobile-devices/99228/\r\nPage 5 of 6\n\nThis is likely due to low Internet speeds in Brazil: sending text information from time to time consumes less\r\nbandwidth than sending a screen recording in real time, thus increasing the chances of successful fraud for the\r\ncybercriminal. While BRATA uses an overlay with a fake WebView to steal credentials, Ghimob does not need to\r\ndo that, as it reads the fields directly from the target app through accessibility features. The following words in\r\nPortuguese are monitored: saldo (balance), investimento (investment), empréstimo (lending), extrato\r\n(statement).\r\nConclusions\r\nIt took some time for Brazilian crooks to decide to try their hand at creating a mobile banking trojan with a\r\nworldwide reach. First, we saw Basbanke, then BRATA, but both were heavily focused on the Brazilian market. In\r\nfact, Ghimob is the first Brazilian mobile banking trojan ready to expand and target financial institutions and their\r\ncustomers living in other countries. Our telemetry findings have confirmed victims in Brazil, but as we saw, the\r\ntrojan is well prepared to steal credentials from banks, fintechs, exchanges, crypto-exchanges and credit cards\r\nfrom financial institutions operating in many countries, so it will naturally be an international expansion.\r\nWe believe this campaign could be related to the Guildma threat actor, a well-known Brazilian banking trojan, for\r\nseveral reasons, but mainly because they share the same infrastructure. It is also important to note that the protocol\r\nused in the mobile version is very similar to that used for the Windows version.\r\nWe recommend that financial institutions watch these threats closely, while improving their authentication\r\nprocesses, boosting anti-fraud technology and threat intel data, and trying to understand and mitigate all of the\r\nrisks that this new mobile RAT family poses. All the details, IoCs, MITRE ATT\u0026CK Framework data, Yara rules\r\nand hashes relating to this threat are available to the users of our Financial Threat Intel services. Kaspersky\r\nproducts detect this family as Trojan-Banker.AndroidOS.Ghimob.\r\nIndicators of Compromise\r\nReference hashes:\r\n17d405af61ecc5d68b1328ba8d220e24\r\n2b2752bfe7b22db70eb0e8d9ca64b415\r\n3031f0424549a127c80a9ef4b2773f65\r\n321432b9429ddf4edcf9040cf7acd0d8\r\n3a7b89868bcf07f785e782b8f59d22f9\r\n3aa0cb27d4cbada2effb525f2ee0e61e\r\n3e6c5e42c0e06e6eaa03d3d890651619\r\n4a7e75a8196622b340bedcfeefb34fff\r\n4b3743373a10dad3c14ef107f80487c0\r\n4f2cebc432ec0c4cf2f7c63357ef5a16\r\nSource: https://securelist.com/ghimob-tetrade-threat-mobile-devices/99228/\r\nhttps://securelist.com/ghimob-tetrade-threat-mobile-devices/99228/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://securelist.com/ghimob-tetrade-threat-mobile-devices/99228/"
	],
	"report_names": [
		"99228"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434109,
	"ts_updated_at": 1775826786,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1520aab3757f436e641138d7c3d35ea6e328a12b.pdf",
		"text": "https://archive.orkl.eu/1520aab3757f436e641138d7c3d35ea6e328a12b.txt",
		"img": "https://archive.orkl.eu/1520aab3757f436e641138d7c3d35ea6e328a12b.jpg"
	}
}