What you need to know about the trojan virus planted in Spanish banking apps
Authorities have issued warnings about a malware that has been planted in the online banking apps of seven Spanish banks and which allows thieves to access your login details and clear out your account.
The ‘Ginp’ malware only affects mobile apps on the Android version.
Here’s what you need to know:
Which banks are affected?
The Android apps affected are those from Caixabank, Bankinter, Bankia, BBVA, EVO Banco, Kutxabank and Santander.
How does it work?
When you open the banking app on your Android phone, you will be presented with a fake “phishing page” so when you add your login details, account number and security code, it will be shared directly with the thieves.
"The fake phishing page is practically identical to the original. Someone has taken time to copy it as is," Santiago Palomares, a malware analyst at Threatfabric, a Dutch start-up specializing in banking Trojans who has analyzed the Ginp code told El Pais.
What happens next?
This “phishing page” basically hands all your details to the thieves who can then use your card or arrange transfers directly from your bank account. The virus even allows the SMS with confirmation code that is sent to your phone ahead of each online transaction to be forwarded to the thieves.
How do I know?
You need to very vigilant and watch what happens when you launch the bank app when your phone.
“When the malware is first started on the device it will begin by removing its icon from the app drawer, hiding from the end user. In the second step it asks the victim for the Accessibility Service privilege,” explains Threatfabric.
This step is visible in the following screenshot which it uses to gain access to your device in an attack called “overlay”.
Android Banking Malware “Ginp” Steal Credit/Debit Card Info via Screen Overlay Attack To Empty Your Bank Money https://t.co/VAbfudEM2B pic.twitter.com/Dew7oAOdRr
— Guru (@guruba008) November 22, 2019
“If you look then in the list of apps that you have open you see an unnamed one like the most recent one, open after the one in the bank,” the Citizen Advice Bureau Spain warns.
The overlay will ask for more details than is usual, including card numbers, expiry codes and and the CVV code but the app looks so similar that you might be caught out.
The tweet below shows authentic banking app long in page and the malware overlay pages alongside:
#Anubis based #malware #Ginp targets Spanish bankaccounts.
For now.
Overlay consists of generic #creditcard grabber targeting social and utility apps, such as #GooglePlay, #Facebook, #WhatsApp, #Chrome, #Skype, #Instagram, #SnapChat, #Viber and #Twitter.https://t.co/EBVnNj4Gjd pic.twitter.com/yCMRdUE7as
— Anonymous Scandinavia?#SafePassage⏳#NoExtradition (@AnonScan) November 24, 2019
How did your app get infected with the virus in the first place?
You may have opened a dodgy message with an SMS link providing a supposed update of Android 10.
Or you may have been infect through an ad on the web by a pop-up asking to install “Adobe Flash Player” on the mobile. Infact, Flash has not been needed on mobile phones for years, but it is so strong in the collective memory that it is used by hackers to gain access.
Once inside, the malware app deletes its icon, to hide and not appear with a logo. But it keeps running in the background just waiting for the user to launch online banking.
What do I do?
If you think you have been targeted then immediately take the app off your phone, contact your bank and discuss whether you need to cancel your bank cards.
Is it only in Spain?
Yes so far only these seven Spanish banks are affected but tech insiders warn that it could be expanded.
Comments
See Also
The ‘Ginp’ malware only affects mobile apps on the Android version.
Here’s what you need to know:
Which banks are affected?
The Android apps affected are those from Caixabank, Bankinter, Bankia, BBVA, EVO Banco, Kutxabank and Santander.
How does it work?
When you open the banking app on your Android phone, you will be presented with a fake “phishing page” so when you add your login details, account number and security code, it will be shared directly with the thieves.
"The fake phishing page is practically identical to the original. Someone has taken time to copy it as is," Santiago Palomares, a malware analyst at Threatfabric, a Dutch start-up specializing in banking Trojans who has analyzed the Ginp code told El Pais.
What happens next?
This “phishing page” basically hands all your details to the thieves who can then use your card or arrange transfers directly from your bank account. The virus even allows the SMS with confirmation code that is sent to your phone ahead of each online transaction to be forwarded to the thieves.
How do I know?
You need to very vigilant and watch what happens when you launch the bank app when your phone.
“When the malware is first started on the device it will begin by removing its icon from the app drawer, hiding from the end user. In the second step it asks the victim for the Accessibility Service privilege,” explains Threatfabric.
This step is visible in the following screenshot which it uses to gain access to your device in an attack called “overlay”.
Android Banking Malware “Ginp” Steal Credit/Debit Card Info via Screen Overlay Attack To Empty Your Bank Money https://t.co/VAbfudEM2B pic.twitter.com/Dew7oAOdRr
— Guru (@guruba008) November 22, 2019
“If you look then in the list of apps that you have open you see an unnamed one like the most recent one, open after the one in the bank,” the Citizen Advice Bureau Spain warns.
The overlay will ask for more details than is usual, including card numbers, expiry codes and and the CVV code but the app looks so similar that you might be caught out.
The tweet below shows authentic banking app long in page and the malware overlay pages alongside:
#Anubis based #malware #Ginp targets Spanish bankaccounts.
— Anonymous Scandinavia?#SafePassage⏳#NoExtradition (@AnonScan) November 24, 2019
For now.
Overlay consists of generic #creditcard grabber targeting social and utility apps, such as #GooglePlay, #Facebook, #WhatsApp, #Chrome, #Skype, #Instagram, #SnapChat, #Viber and #Twitter.https://t.co/EBVnNj4Gjd pic.twitter.com/yCMRdUE7as
How did your app get infected with the virus in the first place?
You may have opened a dodgy message with an SMS link providing a supposed update of Android 10.
Or you may have been infect through an ad on the web by a pop-up asking to install “Adobe Flash Player” on the mobile. Infact, Flash has not been needed on mobile phones for years, but it is so strong in the collective memory that it is used by hackers to gain access.
Once inside, the malware app deletes its icon, to hide and not appear with a logo. But it keeps running in the background just waiting for the user to launch online banking.
What do I do?
If you think you have been targeted then immediately take the app off your phone, contact your bank and discuss whether you need to cancel your bank cards.
Is it only in Spain?
Yes so far only these seven Spanish banks are affected but tech insiders warn that it could be expanded.
Join the conversation in our comments section below. Share your own views and experience and if you have a question or suggestion for our journalists then email us at [email protected].
Please keep comments civil, constructive and on topic – and make sure to read our terms of use before getting involved.
Please log in here to leave a comment.