New 'Ghimob' malware can spy on 153 Android mobile applications

Kaspersky says the new Android trojan has been offered for download packed inside malicious Android apps on sites and servers previously used by the Astaroth (Guildama) operation.

Distribution was never carried out via the official Play Store.

Instead, the Ghimob group used emails or malicious sites to redirect users to websites promoting Android apps.

These apps mimicked official apps and brands, with names such as Google Defender, Google Docs, WhatsApp Updater, or Flash Update. 

If users were careless enough to install the apps despite all the warnings shown on their devices, the malicious apps would request access to the Accessibility service as a final step in the infection process.