The ‘Ginp’ malware only affects mobile apps on the Android version.
Here’s what you need to know:
Which banks are affected?
The Android apps affected are those from Caixabank, Bankinter, Bankia, BBVA, EVO Banco, Kutxabank and Santander.
How does it work?
When you open the banking app on your Android phone, you will be presented with a fake “phishing page” so when you add your login details, account number and security code, it will be shared directly with the thieves.
“The fake phishing page is practically identical to the original. Someone has taken time to copy it as is,” Santiago Palomares, a malware analyst at Threatfabric, a Dutch start-up specializing in banking Trojans who has analyzed the Ginp code told El Pais.
What happens next?
This “phishing page” basically hands all your details to the thieves who can then use your card or arrange transfers directly from your bank account. The virus even allows the SMS with confirmation code that is sent to your phone ahead of each online transaction to be forwarded to the thieves.
How do I know?
You need to very vigilant and watch what happens when you launch the bank app when your phone.
“When the malware is first started on the device it will begin by removing its icon from the app drawer, hiding from the end user. In the second step it asks the victim for the Accessibility Service privilege,” explains Threatfabric.
This step is visible in the following screenshot which it uses to gain access to your device in an attack called “overlay”.
“If you look then in the list of apps that you have open you see an unnamed one like the most recent one, open after the one in the bank,” the Citizen Advice Bureau Spain warns.
The overlay will ask for more details than is usual, including card numbers, expiry codes and and the CVV code but the app looks so similar that you might be caught out.
The tweet below shows authentic banking app long in page and the malware overlay pages alongside:
How did your app get infected with the virus in the first place?
You may have opened a dodgy message with an SMS link providing a supposed update of Android 10.
Or you may have been infect through an ad on the web by a pop-up asking to install “Adobe Flash Player” on the mobile. Infact, Flash has not been needed on mobile phones for years, but it is so strong in the collective memory that it is used by hackers to gain access.
Once inside, the malware app deletes its icon, to hide and not appear with a logo. But it keeps running in the background just waiting for the user to launch online banking.
What do I do?
If you think you have been targeted then immediately take the app off your phone, contact your bank and discuss whether you need to cancel your bank cards.
Is it only in Spain?
Yes so far only these seven Spanish banks are affected but tech insiders warn that it could be expanded.