Banking Trojans Grandoreiro (Windows) and BTMOB RAT (Android) Target Companies in Spain, Portugal, Mexico and Mobile Users in Brazil
What Happened – Threat researchers at WatchGuard and ESET uncovered two coordinated banking‑trojan campaigns. The Grandoreiro malware is being delivered to Windows workstations, while the BTMOB remote‑access trojan is targeting Android smartphones. Both families are aimed at stealing banking credentials and facilitating fraudulent transactions.
Why It Matters for TPRM –
- Financial‑focused malware on corporate endpoints can lead to credential theft, unauthorized fund transfers, and reputational damage.
- Android‑based RATs expand the attack surface to employee mobile devices, often used for remote work or BYOD programs.
- The campaigns focus on organizations operating in Spain, Portugal, Mexico and on consumers in Brazil, highlighting a regional supply‑chain risk for multinational vendors.
Who Is Affected – Financial services firms, multinational corporations with offices in the listed countries, and any enterprise that permits Android devices for business use.
Recommended Actions –
- Review third‑party vendor security assessments for any partners located in the affected regions.
- Enforce multi‑factor authentication for banking and financial applications on both desktop and mobile platforms.
- Deploy endpoint detection and response (EDR) solutions capable of detecting Grandoreiro and BTMOB signatures.
- Conduct phishing awareness training and enforce strict app‑installation policies on Android devices.
Technical Notes – The campaigns use phishing emails and malicious app downloads to deliver the payloads. Grandoreiro leverages known banking‑trojan techniques such as web‑injects and credential harvesting. BTMOB RAT provides full remote control of infected Android devices, enabling data exfiltration and SMS‑based fraud. No specific CVEs were cited. Source: The Hacker News