Phantom Hand Attack: new Brazilian coup steals the victim before his own eyes

Picture the scene: you open your phone, try to unlock it, and suddenly the screen is all black. Everything looks normal, so you repeat the unlock pattern. The interface remains the same, but you don’t remember opening the banking app in the last few seconds. And at that point you see the cell phone, alone, stealing your entire balance. It sounds like a nightmare, but it’s worse—it’s true. This is a Phantom Hand Attack, a new category of high-risk malware born in Brazil and already harassing international victims.

Officially named Ghost Hand Attack, the modality was introduced today at Kaspersky’s [email protected] 2021 Forum, and attacks mobile devices exclusively. The digital security analyst, Fábio Assolini, described the scam as “an invisible hand that uses your cell phone right in front of you”, and depends on both malware and fraud to operate.


In practice, it works like this: A remote access trojan (RAT) is installed by fraudulent email that offers a fake application update, or scareware tactics — the famous alarmist “your Android is infected” advertisements. And then, the program opens access to the cybercriminal, who can use your cell phone in real time.

RATs bypass all user authentication systems, and give smartphone priority to scammers. In all cases of Ghost Hand Attack, malware takes administrative privilege of the device. And removing them is not easy. When trying to uninstall, malicious programs automatically close the screen, or hide them from the list of installed apps.

Phantom Hand Attack is undetectable for financial institutions

So far, only three families of RATs used in Ghost Hand Attacks have been detected by the institutions: the banking trojan group Ghimob, Brata and TwMobo. Initially acting only in Brazil, today the three malicious programs have already victimized people and institutions in Latin America, Europe and the United States.

And because these are transactions directly from the victim’s cell phone, it is difficult for financial institutions to detect that the transfers originate from fraud. RATs do not pierce security or personal access blocks directly from the infected device. In addition, they have direct access to authentication factors, such as SMS code and email, and can change passwords to whatever they want.

Malware emerged in 2019, but it has intensified now

Trojan horse/symbol of a red trojan horse on blue computer circuit board background
Ghimob Remote Banking Trojan returns with new target banks. (Image: wk1003mike/Shutterstock)

Pioneer of Ghost Hand Attack malware, Brata appeared in 2019, and has reappeared today with some modifications. The trojan appears as a fake app on the Google Play Store itself and, when infecting a device, allows full remote control of the device, redirecting it to phishing pages.

In its resurgence, BRata came up with six new lines of code, for theft of international bank accounts. The number of installs of this Phantom Hand Attack app has reached 40,000.

Ghimob is another remote trojan that acts in a similar way. By abusing the smartphone’s motion detection feature, used to guide people with low vision, the trojan tracks the hits of everything the victim sees and does. In this way, it captures passwords and unlock patterns.

“The main novelty of Ghimob is the technique used to circumvent biometric authentication”, explains Assolini. “Criminals call victims posing as the bank’s technical support and ask them to confirm her identity via a video call. At this point, they record the call to use the video for bank authentication”.

TwMobo is only removed with mobile reset or antivirus

However, the most recent of the three Ghost Hand Attacks causes even greater concern. Dubbed “Hard to Kill”, TwMobo trojans not only take full control of the smartphone, but also lock the device in Protect Mode.

The danger of this latest malware lies in the fact that it targets not just banking details and social networks, but all victim behavior. The trojan also captures a victim’s views and interests to sell the data to e-commerces, acting as a more nefarious version of Facebook’s trackers.

woman using cell phone with numbers in front
Malware spies on social networks and pages visited to sell data to companies. (Image: boyhey/Shutterstock)

To make matters worse, this family’s attacks use more advanced protections than their predecessors. “TwMobo is hidden after installation,” warns Assolini. “As criminals have device control and administrator permissions, they can simply hide the icon on their first remote access.”

The expert advises that, in all incidences of this variation, the Phantom Hand Attack was only removable by a factory reset, or with an updated antivirus scan.

Read more:

Image: GSPsp/Shutterstock

Have watched our new videos on YouTube? Subscribe to our channel!