Malware

Fake Coronavirus Finder spread Ginp Mobile Banker

Security experts have spotted a new COVID-themed campaign aimed at distributing the Ginp Mobile Banker with “Coronavirus Finder” lure.

With the COVID19 outbreak, the number of Coronavirus-themed attacks is rapidly increasing. Kaspersky Lab experts have uncovered a malicious campaign that is spreading the Android banking trojan Ginp masquerade as a Coronavirus Finder.

“Cybercriminals behind Ginp, a banking Trojan that we have covered recently (here’s a post about Ginp on Kaspersky Daily), are up to a new campaign related to COVID-19. After Ginp receives a special command, it opens a web-page called Coronavirus Finder.” reads the post published by Kaspersky. “It has a simple interface that shows the number of people infected with the coronavirus near you and urges you to pay a small sum to see the location of those people.”

The malicious app claims to show the location of the infected people nearby for a small fee, using this app crooks attempt to trick victims into providing their payment card data.

This campaign is targeting Spain, one of the countries with the highest number of infected individuals that are facing a critical emergency due to the Coronavirus outbreak.

These crooks are jackals ready to exploit the fear of the people to monetize their efforts.

Ginp was first spotted in October by Kaspersky while targeting Spain and UK, but researchers believe it has been active around since June. The malware has already received five major updates, with the latest one borrowing pieces of code from the Anubis banking Trojan.

The initial version of the malware dates back to early June 2019, it was masquerading as a “Google Play Verificator” app and it was developed to steal victim’s SMS messages. In August, its authors implemented some banking-specific features and started spreading the malicious code as fake “Adobe Flash Player” apps.

The malware abuses the Accessibility Service to perform overlay attacks and become the default SMS app.

By using overlay attacks as part of a generic credit card grabber the malware targets social and utility apps, including Google Play, Facebook, WhatsApp, Chrome, Skype, Instagram, and Twitter.

A more recent was also able to target Snapchat and Viber applications.

Experts noticed that the third version spotted in the wild includes the source code of the Anubis Trojan that was leaked earlier this year, this variant no longer includes social apps in the target list, instead, it focuses on banks.

The campaign recently spotted by Kaspersky employs a version of the malware that opens a called Coronavirus Finder claiming the presence of 12 people infected with the Coronavirus in the vicinity of the victim and offers to show their location for 0.75 EUR.

“Once you fill in your credit card data, it goes directly to the criminals… and nothing else happens. They don’t even charge you this small sum (and why would they, now that they have all the funds from the card at their command?). And of course, they don’t show you any information about people infected with coronavirus near you, because they don’t have any. ” continues the analysis published by Kaspersky.

This is just to lure the victim into providing their payment card data, which is delivered to the cybercriminals. Once the info is provided, nothing happens.

According to data from Kaspersky Security Network, most of the infections of this new variant of the Ginp Trojan, tracked as ‘flash-2,’ are in Spain.

Below the recommendation provided by Kaspersky to avoid being infected with this malware:

  • Download apps only from Google Play (and disable the option to install apps from other sources).
  • Stay skeptical. If something seems suspicious – don’t click and, most importantly, don’t give any sensitive data such as logins, passwords and payment credentials away.
  • Do not give the Accessibility permission to apps that request it, other than anti-virus apps.
  • Use a reliable security solution. For example, Kaspersky Internet Security for Android is quite aware of Ginp and detects it as Tojan-Banker.AndroidOS.Ginp.
[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Ginp, coronavirus)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

American fast-fashion firm Hot Topic hit by credential stuffing attacks

Hot Topic suffered credential stuffing attacks that exposed customers' personal information and partial payment data.…

3 hours ago

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

17 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

23 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

1 day ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

2 days ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

2 days ago

This website uses cookies.