Security researchers are warning against a new Android-based banking Trojan. The threat fools users into sharing their card details in return for false information on the identity of COVID-19 infected in their immediate area.
The Ginp Trojan was seen operating before, with Kaspersky researchers observing campaigns using it, specifically in Spain. It was utilized to fool people into sharing their financial details. The naming convention of the new version currently in circulation shows that it may be getting ready to go global in efforts to scam more users.
Ginp Trojan using fake maps and fear of the pandemic
This latest version acts by opening a page on a victim's Android device. The "Coronavirus Finder" claims to show a map that details the number of people in the viewer's local area that have contracted the virus. While using social engineering, the people behind the Ginp Trojan are focusing their efforts on vulnerable people during the pandemic, asking for €0.75 to view the map with alleged infections and identities.
Alexander Eremin, a Kaspersky malware analyst, mentioned Ginp relies on a lot of different lures to make sure their users are sharing their credit card data into forms. That allows threat actors to steal the data without too much effort involved. "If you guessed this web-page is just another form aimed at stealing data — you've guessed it right," mentioned Eremin.
Once the credit data is filled in, it gets picked up by criminals. There is no actual map of real people with infections; the people behind the malware don't even charge the listed sum. The result of this scam is that the threat actors steal the banking credentials of gullible users and walk away with them.
Users are advised to only download apps from the Google Play marketplace, using antivirus or antimalware on their devices. Another step they make take is not granting accessibility permission to apps requesting it, other than legitimate security apps.
How did the Ginp Trojan come into existence?
The first version spotted by security researchers dates back to the early days of June 2019. It was pretending to be a 'Google Play Verificator' app. Back then, it was little more than a simple SMS stealer, whose purpose was to send copies of incoming and outgoing messages to a command-and-control server.
Months later, in August 2019, a new version released with more specialized, banking-focused features. That version and those after it was pretending to be 'Adobe Flash Player' apps. The malware could perform overlay attacks, as well as being the default SMS app. That allowed it to abuse the Accessibility Service. The overlay was made with a generic credit card stealer that targets utility and social apps, such as WhatsApp, Skype, Chrome, Instagram, Twitter, Facebook, and Google Play.
Even though the early versions possessed a level of string and code obfuscation, the protection of the following versions of the malware was improved with payload obfuscation. The capabilities of the malware remained unchanged, but this endpoint was added to the command-and-control server. The change allowed it to handle the credit card stealer overlay and to have specific target overlays operating separately. The list of apps targeted by the changes included Viber and Snapchat.
The Ginp Trojan evolves to steal banking information
In the third version of the malware, the author used parts of the Anubis Trojan. This change was combined with changes to the overlay target list, moving away from targeting social apps, focusing on banks instead. The targeted apps were relating to Spanish banks, ones that included targets never before seen in other Android banking Trojans. Twenty-four of them were related to 7 Spanish banks: Bankinter, Evo Banco, BBVA, Kutxabank, Santander, and Caixa Bank.
The most recent version of Ginp so far was detected at the end of November 2019. The version has modifications done that appear to be unused at this time, but the malware behavior had no differences from the previous version. The malware author added admin permission functionality, with a new endpoint added to download a module for the malware.