Ginp Mobile Banker Targets Spain with “Coronavirus Finder” Lure
In today's deluge of malicious campaigns exploiting the COVID-19 topic, handlers of the Android banking trojan Ginp stand out with operation Coronavirus Finder.
They prey on the anxiety generated by the massive spread of the virus and launch on infected devices a page claiming to show the location infected people nearby for a small fee.
The purpose is to make victims provide payment card data in the hope of learning how close they are to infected individuals.
It's a particularly heinous campaign because it targets users in Spain, a country that's been hit hard by the new coronavirus: close to 3,000 people died from the virus and almost 40,000 are infected.
A loathsome lure
Ginp started in June 2019 as an SMS stealer and quickly evolved to a banking trojan, with code borrowed from Anubis, that targeted banks in Spain and the U.K.
In a recent version, the malware used the Accessibility feature in Android fake push notifications to make victims open apps for which Ginp had an overlay ready that asked for payment card data.
Researchers at Kaspersky are now seeing that Ginp operators are sending the malware a special command that opens a webpage called Coronavirus Finder.
The page claims that 12 people infected with the new coronavirus are in the vicinity of the victim and promises to show their location for 0.75 EUR.
This is just to lure the victim into providing their payment card data, which is delivered to the cybercriminals. Once the info is provided, nothing happens.
"They don’t even charge you this small sum (and why would they, now that they have all the funds from the card at their command?)," writes Alexander Eremin, malware analyst at Kaspersky, in a blog post today.
The source of inspiration for this lure may be the "Shield" mobile app recently released by the Israeli Ministry of Health, which alerts users if they've been at a location at the same time as a known Coronavirus carrier.
Telemetry data from Kaspersky shows that Ginp's main targets for this campaign are users in Spain. However, they warn that this operation may expand beyond Spain's territory.
"However, this is a new version of Ginp that is tagged “flash-2”, while previous versions were tagged “flash-es12”. Maybe the lack of “es” in the tag of the newer version means that cybercriminals plan to expand the campaign beyond Spain" - Alexander Eremin
These days, it is easy to render the new Ginp campaign ineffective: staying home ensures that you're at safe distance from people carrying COVID-19 (check here for guidelines from WHO).
Also, in this time of public health crisis, governments are the only entities with the most accurate information about the spread of the new coronavirus. If they make such an app available, they would not charge users for details on the current situation.
For mobile malware that does not use COVID-19 lures, following standard security recommendations should be enough to keep you safe:
- install a reliable security solution
- download apps from official sources
- do not give apps other than antivirus permission to use the Accessibility feature
- don't click on links from suspicious sources
- don't provide sensitive information (access codes, logins, payment details) to forms that look suspicious
Gloss