Emergent Android banking Trojan shows app overlay attacks are still effective

Researchers are tracking an Android Trojan that’s been rapidly improving over the past several months. It uses overlay attacks to steal login credentials and payment card details from users of banking and other applications.

Dubbed Ginp, the Trojan was first spotted in October 2019, but has been in the wild since at least June, according to researchers from Dutch cybersecurity company ThreatFabric. During the past five months, the malware has received numerous improvements, including some features borrowed from an older commercial banking Trojan called Anubis.

Ginp a developing threat

Ginp started out as a new Trojan built from scratch that masqueraded as an app called Google Play Verificator. It stole incoming and outgoing SMS messages from devices. A later version, released in August added overlay attacks, which involves the display of windows on top of other applications when they’re opened.

Initially, the Trojan used a generic overlay window that asked users for payment card information when opening popular apps like Google Play, Facebook, WhatsApp, Chrome, Skype, Instagram and Twitter. Yet another iteration added payload obfuscation to make detection harder and added Snapchat and Viber to the targeted apps list, as well as dedicated overlays for specific banking apps.

The latest and current version of the Trojan, released earlier this month, brought major changes. The authors copied code from another Android Trojan called Anubis, leaked earlier this year, to enhance its overlay attacks. It now targets 24 apps from seven Spanish banks with unique overlays for each app that are dynamically loaded from a command-and-control server. The older generic overlay approach is still used, but only for Google Play. The other social and utility apps are no longer targeted.

The November 2019 version marks a change of modus operandi for the attackers, from an indiscriminate targeting of social app users to specific targeting of online banking customers. The focus is on Spanish banks for now, but this might change as attackers build overlays for other banking apps.

Copyright © 2019 IDG Communications, Inc.

Source link