Hi Guys,

Hackers are always trying to steal money and they have released a new attack this week that directly targets banking apps on mobile devices, infecting devices with actual SPYWARE. Attacks like this are happening all the time but this one is taking it to the next level.

Currently affecting 153 apps so far, including 112 banking apps in Europe, Africa and parts of Central and South America, this attack could soon be global. 

What’s happening?

This attack is the latest from a Threat-Group known as Guildma, who deployed a banking Trojan attack only a few months ago.  They have expanded and upgraded their attack by now infecting devices with SPYWARE. This is quite worrying as once it’s on a device, they can use your device just like you can. This means they can bypass all the security and anti-fraud measures banking institutions have in place as your bank will essentially think it is you making the transaction.

How does it get on your device?

The classic attack used by hackers everywhere is responsible. They use a Phishing attack, meaning an email is sent around with a link. Once you click on that link your device is infected with extremely invasive malicious software, SPYWARE. 

How does it work?

Known as the ‘Ghimob’ attack once you click that link your device is infected with spyware and;

  • The hacker gains full control of your device.
  • The spyware hides on your device so you will not know it is there. 
  • It uses Androids accessibility features to manipulate the behaviour on the device so it can disable manual uninstallation of the spyware.  
  • It captures keystrokes so it can duplicate your behaviours
  • It can manipulate screen content

So what does all that mean? 

Well if it isn’t scary enough having a hacker take control of your device, the whole purpose of the actions outlined above is to mimic your behaviour so they can use your banking app to make transactions. When the hacker is ready to process the transaction they can overlay a screen on the device, like a website page or black screen so you don’t know what’s happening.  They can then perform the transaction on your banking app.  They can even bypass a screen lock pattern. They record the pattern and then replay the pattern later and unlock the device. 

How to protect yourself? 

I do say this a lot but don’t click on any malicious links.  However, it sometimes is very hard to know if an email is genuine or not.  Cybercriminals are improving their tactics all the time, links can look like they are from a service or company you use, can use your details and name and can even come from what looks like a ‘real’ email address.

You can follow some steps to help identify phishing emails:

  1. Make sense of the email.  How does it relate to you? Do they use one of the phishing classics;
  • They say they’ve noticed suspicious activity/log-in attempts
  • They claim there’s a problem with your account or your payment information
  • They ask you to confirm some personal information
  • They include a fake invoice or document
  • They ask you to click on a link to make a payment
  • They say you’re eligible to for a refund or government refund
  • They offer a free stuff or a coupon
  1. Are there warning signs? 

Legit companies do not 

  • Request your details via email
  • Force you to their website 
  • Send unsolicited attachments
  • Make grammar mistakes

Real companies do;

  • Use your name and not ‘Dear member’ or ‘Dear Valued Customer’
  • Have domain names in their employee email addresses, hover the mouse over the sender address to see the real email address.
  • Have emails that match their website address john@thebank.com, not info@info.thebank.com
  1. There is a link. This is the biggest indicator that the email could be a phishing attack. The very presence of a link means you should be careful of the email and run through the points above. 

If an email raises any flags outlined above, I recommend you deleted it.  

All the best guys, and stay safe.

Max Roberts
Incognito Privacy Care