Original Post from Security Affairs
Author: Pierluigi Paganini
Security experts have spotted a new COVID-themed campaign aimed at distributing the Ginp Mobile Banker with “Coronavirus Finder” lure.
With the COVID19 outbreak, the number of Coronavirus-themed attacks is rapidly increasing. Kaspersky Lab experts have uncovered a malicious campaign that is spreading the Android banking trojan
The malicious app claims to show the location of the infected people nearby for a small fee, using this app
This campaign is targeting Spain, one of the countries with the highest number of infected individuals that are facing a critical emergency due to the
These crooks are jackals ready to exploit the fear of the people to monetize their efforts.
The initial version of the malware dates back to early June 2019, it was masquerading as a “Google Play Verificator” app and it was developed to steal victim’s SMS messages. In August, its authors implemented some banking-specific features and started spreading the malicious code as fake “Adobe Flash Player” apps.
The malware abuses the Accessibility Service to perform overlay attacks and become the default SMS app.
By using overlay attacks as part of a generic credit card grabber the malware targets social and utility apps, including Google Play, Facebook, WhatsApp, Chrome, Skype, Instagram, and Twitter.
A more recent was also able to target Snapchat and Viber applications.
Experts noticed that the third version spotted in the wild includes the source code of the Anubis Trojan that was leaked earlier this year, this variant no longer includes social apps in the target list, instead, it focuses on banks.
The campaign recently spotted by Kaspersky employs a version of the malware that opens a called Coronavirus Finder claiming the presence of 12 people infected with the Coronavirus in the vicinity of the victim and offers to show their location for 0.75 EUR.
“Once you fill in your credit card data, it goes directly to the criminals… and nothing else happens. They don’t even charge you this small sum (and why would they, now that they have all the funds from the card at their command?). And of course, they don’t show you any information about people infected with
This is just to lure the victim into providing their payment card data, which is delivered to the cybercriminals. Once the info is provided, nothing happens.
According to data from
Below the recommendation provided by Kaspersky to avoid being infected with this malware:
Our advice on how to stay safe from Ginp Banking Trojan remains the same:
- Download apps only from Google Play (and disable the option to install apps from other sources).
- Stay skeptical. If something seems suspicious – don’t click and, most importantly, don’t give any sensitive data such as logins, passwords and payment credentials away.
- Do not give the Accessibility permission to apps that request it, other than anti-virus apps.
- Use a reliable security solution. For example, Kaspersky Internet Security for Android is quite aware of Ginp and detects it as Tojan-Banker.AndroidOS.Ginp.
Go to Source
Author: Pierluigi Paganini