This warning has been issued today via Citizens Advice Bureau Spain. Other Spanish media have also issued alerts.
“A dangerous Trojan Virus ‘Ginp’ has been planted in the Apps of seven Spanish banks – the Android Version.
The Apps affected are those from Caixabank, Bankinter, Bankia, BBVA, EVO Banco, Kutxabank y Santander.
How does it work?
When you open the app, instead of the regular start page, you will get a superimposed ‘phishing page’, but very similar in appearance, asking you for your login details, card details and security code.
The details of course do not go to your bank, but to thieves instead.
What can happen?
They can use your card, or arrange for transfers from your bank account. When the SMS with confirmation code from the bank is received by your phone, the Ginp virus will make sure it gets sent on to the thieves.
How do I know?
When the bank app is launched, the effect of the appearance of the malicious screen is similar to when it is passed from one application to another on Android mobiles. “If you look then in the list of apps that you have open you see an unnamed one like the most recent one, open after the one in the bank,” an expert explains. This type of attack is called overlay. It consists of getting on top of the banking app through an Android permit. Google has made it increasingly difficult to achieve, but it still happens.
What do I do?
Take the App off your phone.
How did the App get ‘infected’ with the virus?
There are two basic paths. First, through a link. In the case of Ginp, the main wave has been through spam with an SMS link. The Trojan then hijacks the contact list and forwards the link to other users. A researcher at Kaspersky, who was the first to publish the existence of Ginp, gave an example of one of those SMS messages, with a supposed update of Android 10.
Another way in which this Trojan is distributed is with ads on the web in which a pop-up pops up asking to install “Adobe Flash Player” on the mobile. Flash has not been used in mobile phones for years, but it is an often found feature of the web that has remained in our memory and is effective as a hook. And obviously instead of Flash there is malicious code. Another usual danger that does not seem to have occurred in this case is through a Trojan application on Google Play. They can be flashlights, horoscopes, battery utilities or phone cleaning.
Once inside, the app has instructions to delete its icon, to hide and not appear with a logo. But it keeps running while waiting for the user to start a bank application.”