Ginp Banking Trojan Exploits Covid-19 Fears
Even the staunchest digital puritans have been spurned to click on a thing or two due to FOMO or ’fear of missing out’. Our natural, healthy fear of missing out on something important is what fueled and sustains the social media explosion. Tech entrepreneurs, publishers, and advertisers know exactly how to trigger our primal FOMO instincts to get a click, so do cybercriminals. Ginp is a Banking Trojan that targets mobile users and devices, primarily Android. A Banking Trojan is a malicious computer program that intercepts sensitive personal information and credentials for accessing online bank or payment accounts.
Harken back to Spring of 2020, what was the most important thing on everyone’s mind? You guessed it – Covid-19. In the early pandemic days, when fear and uncertainty were at their height, cybercriminals crafted and launched an attack that perfectly exploited this fear.
In Early June 2020, people in Spain started getting SMS and email notifications claiming that it had the locations of confirmed Covid-19 cases in the user’s area. To view the locations, all they had to do was click to download the ‘Coronavirus Finder’ app and pay a small fee.
I consider myself a seasoned online sceptic, but even I would have fallen for this. In fact, this mobile notification looks just as legitimate as several other Covid-19 map apps and services launched by government agencies and reputable non-profits. I too have remained constantly obsessed with tracing infection rates to assess my personal risk and the efficacy of government restriction policies. After FOMO and plain old fear triggered the click reflex, users were directed to a simple, legitimate looking payment screen.
Once users downloaded and installed the fraudulent ‘Coronavirus Finder’ app, the app itself began stealthily collecting personal information from the user’s phone that could be used for the next phase of the attack. The app transmits the information to a dedicated server controlled by cybercriminals who then use the information to target the next stage of the attack. Let’s say you frequently shop on Amazon and pay with the PayPal app. You will soon be targeted with a phishing message or an overlay webpage that exactly mimics your normal use, but will instead funnel credit card or bank account information back to the cybercriminals. You won’t even suspect that anything strange has happened.
Recent versions of the Ginp banking trojan have the ability to spoof SMS messages to mimic familiar 2-factor authentication processes that send an authentication code via SMS. Ginp also gained the ability to block notifications to suppress security warnings from endpoint antivirus software that may be installed on the phone. This renders endpoint security solutions useless and allows Ginp to collect further information from social media notifications. This social media information is used to further customize attacks.
From April to July 2020, Allot Secure blocked approximately 1,000,000 instances of the Ginp Banking Trojan in Spain.
It is impossible to predict where the Ginp Banking Trojan will strike next, but Ginp has also been found in the UK, France, Poland and Turkey. The first wave in Spain seems to have subsided for now, but we expect the cybercriminals behind the attack are busy improving the malware and devising new human engineering techniques before launching the next wave.