The Ginp banking trojan has new functionality according to security company Kaspersky. It is taking advantage of people’s concerns over COVID-19 with a “Coronavirus Finder“. It opens a webpage that purports to show the number of nearby people infected with the virus. For just 0.75 Euros it will provide more information on those people to help you avoid them.
Many people still need to shop for essentials, especially as delivery services are overwhelmed. Knowing if someone in the shop who has the virus is something a lot of people would pay for. But this is a scam. The numbers are fake, the information is rubbish and the malware isn’t just stealing 0.75 Euros every time it is used. Instead, as a user pays, the malware steals their banking details and raids their banks accounts. Yes there is a virus nearby but not the one people are worried most about.
Alexander Eremin, security expert at Kaspersky said: “Cybercriminals have, for months, attempted to take advantage of the coronavirus crisis by launching phishing attacks and creating coronavirus-themed malware. This is the first time, though, we’ve seen a banking Trojan attempting to capitalise on the pandemic. It’s alarming, particularly since Ginp is such an effective Trojan.
“We encourage Android users to be particularly vigilant at this time—pop-ups, unfamiliar webpages, and spontaneous messages about coronavirus should always be viewed skeptically.
Ginp, the trojan that keeps taking
This is not the first time Ginp has developed a new trick to steal from its victims. It has been seen using push notifications and pop-up messages. These are used to get a victim to open apps. What the victim sees, however, is not really the app. Ginp overlays its own screen on top of the app. This is particularly useful when stealing banking details. It means that victims can be presented with a payment screen that sends their details to the criminals instead of the app owners.
Another common capability for a lot of malware is the interception of SMS messages. Ginp has evolved past that. In February, Kaspersky reported that it was faking incoming text messages.
It has previously been seen reading SMS messages. This evolved into the ability to send SMS messages to the user and make them appear as if they were coming from a trusted source such as a bank. Users are more likely to respond to those messages or follow instructions such as log in to check payments. All of this activity is captured by Ginp and passed to the criminals.
Expanding targets from Spain to other countries
The criminals behind Ginp have previously shown that they are able to change the target geography. For the last few months it has been focused on Spain. This latest attack gives it the ability to attract a much wider audience.
Kaspersky reports that they have already seen a change in the deliver file to prepare for a new campaign. The previous version has tagged “flash-es12”. The new version is just tagged “flash-2”. This could mean its owners are about to join other criminal gangs in taking advantage of people’s fear of COVID-19.
Enterprise Times: What does this mean
The current pandemic makes for a target rich opportunity for online scam artists and malware developers. People are naturally panicking about the implications of what is going on. Many accept that they need to go out shopping to get food and essentials and that puts them at risk. As Ginp pretends to provide information about those nearby who are infected, it will find a lot of people willing to access that data.
At present, the attack is focused on the finances of its victims. It would not be a huge jump for it to start harvesting user credentials to attack businesses. Work from home means that users are making use of their personal devices. Few will improve their personal security behaviour in the current circumstances. Companies need to do more to help educate them.