Impersonate the apps of seven Spanish banks on Android
Malicious Ginp software was created only a few months ago and is part of a campaign focused on Spain, an Android user opens his bank application. If the Ginp malware has sneaked into your mobile, it will detect that movement and overlay a screen that is traced to that of the bank over the legitimate app, but obviously for a different purpose. First you will ask for the credentials to access and then the card, with its expiration date and the CVV number. The user will believe that he is using the bank's app, but will be giving his data to the thieves.
The attack is surprisingly sophisticated for what is usual in Spanish banks. "The fake phishing page is practically identical to the original. Someone has taken time to copy it as is," explains Santiago Palomares, a malware analyst at Threatfabric, a Dutch start-up specializing in banking Trojans that has analyzed the Ginp code .
So much dedication in the copy of the page is rare in Android mobiles and exceptional in malware aimed at Spanish banks: "No other malware for Spanish companies looked so much like the legitimate bank. The most common was to create a standard page and change only logo and color But Ginp doesn't: it emulates even a specific loading page that Bankia has for example, even with the loading times of those applications, "Palomares adds. The seven affected banks are Caixabank, Bankinter, Bankia, BBVA, EVO Bank, Kutxabank and Santander.
Malicious actors have two ways to steal: one, use the card. Two, make a transfer. If the confirmation code arrives by SMS, the same malicious app can resend it. "By infecting the phone, you have access to the SMS, so if you get the card credentials and data it means you can make transactions in almost any store," says Palomares.
How to detect that a mobile is infected? When the bank app is launched, the effect of the appearance of the malicious screen is similar to when it is passed from one application to another on Android mobiles. "If you look then in the list of apps that you have open you see an unnamed one like the most recent one, open after the one of the bank," Palomares explains. This type of attack is called overlay. It consists of getting on top of the banking app through an Android permit. Google has made it increasingly difficult to achieve, but it still happens.
The other big question is how that malicious code has sneaked into the user's phone. There are two basic paths. First, through a link. In the case of Ginp, the main wave has been through spam with an SMS link. The Trojan then hijacks the contact list and forwards the link to other users. A researcher at Kaspersky, who was the first to publish the existence of Ginp, gave an example of one of those SMS messages, with a supposed update of Android 10.
Another way in which this Trojan is distributed is with ads on the web in which a pop-up pops up asking to install "Adobe Flash Player" on the mobile. Flash has not been used in mobile phones for years, but it is a redoubt of the web that has remained in our memory and is effective as a hook. And obviously instead of Flash there is malicious code. Another usual danger that does not seem to have occurred in this case is through a Trojan application on Google Play. They can be flashlights, horoscopes, battery utilities or phone cleaning.
Once inside, the app has instructions to delete its icon, to hide and not appear with a logo. But it continues to run waiting for the user to start a bank application.
The Spanish objective does not imply that the creators of the Trojan are also Spanish or know the language. There are indeed some typos in the screenshots provided by Threatfabric. "It looks like they are not Spanish. There are things on their server that are in Russian. They are not usually isolated," Palomares says.