Security experts have spotted a new COVID-themed campaign aimed at distributing the Ginp Mobile Banker with “Coronavirus Finder” lure.

With the COVID19 outbreak, the number of Coronavirus-themed attacks is rapidly increasing. Kaspersky Lab experts have uncovered a malicious campaign that is spreading the Android banking trojan Ginp masquerade as a Coronavirus Finder.

“ Cybercriminals behind Ginp, a banking Trojan that we have covered recently (here’s a post about Ginp on Kaspersky Daily), are up to a new campaign related to COVID-19. After Ginp receives a special command, it opens a web-page called Coronavirus Finder.” reads the post published by Kaspersky. “It has a simple interface that shows the number of people infected with the coronavirus near you and urges you to pay a small sum to see the location of those people.”

The malicious app claims to show the location of the infected people nearby for a small fee, using this app crooks attempt to trick victims into providing their payment card data.

This campaign is targeting Spain, one of the countries with the highest number of infected individuals that are facing a critical emergency due to the Coronavirus outbreak.

These crooks are jackals ready to exploit the fear of the people to monetize their efforts.

Ginp was first spotted in October by Kaspersky while targeting Spain and UK, but researchers believe it has been active around since June. The malware has already received five major updates, with the latest one borrowing pieces of code from the Anubis banking Trojan.

The initial version of the malware dates back to early June 2019, it was masquerading as a “Google Play Verificator” app and it was developed to steal victim’s SMS messages. In August, its authors implemented some banking-specific features and started spreading the malicious code as fake “Adobe Flash Player” apps.

The malware abuses the Accessibility Service to perform overlay attacks and become the default SMS app.

By using overlay attacks as part of a generic credit card grabber the malware targets social and utility apps, including Google Play, Facebook, WhatsApp, Chrome, Skype, Instagram, and Twitter.

A more recent was also able to target Snapchat and Viber applications.

Experts noticed that the third version spotted in the wild includes the source code of the Anubis Trojan that was leaked earlier this year, this variant no longer includes social apps in the target list, instead, it focuses on banks.

The campaign recently spotted by Kaspersky employs a version of the malware that opens a called Coronavirus Finder claiming the presence of 12 people infected with the Coronavirus in the vicinity of the victim and offers to show their location for 0.75 EUR.

“Once you fill in your credit card data, it goes directly to the criminals… and nothing else happens. They don’t even charge you this small sum (and why would they, now that they have all the funds from the card at their command?). And of course, they don’t show you any information about people infected with coronavirus near you, because they don’t have any. ” continues the analysis published by Kaspersky.

This is just to lure the victim into providing their payment card data, which is delivered to the cybercriminals. Once the info is provided, nothing happens.

According to data from Kaspersky Security Network , most of the infections of this new variant of the Ginp Trojan, tracked as ‘flash-2,’ are in Spain.

Below the recommendation provided by Kaspersky to avoid being infected with this malware:

Download apps only from Google Play (and disable the option to install apps from other sources).

Stay skeptical. If something seems suspicious – don’t click and, most importantly, don’t give any sensitive data such as logins, passwords and payment credentials away.

Do not give the Accessibility permission to apps that request it, other than anti-virus apps.

Use a reliable security solution. For example, Kaspersky Internet Security for Android is quite aware of Ginp and detects it as Tojan-Banker.AndroidOS.Ginp.

Pierluigi Paganini