Pierluigi Paganini November 30, 2019

Security experts discovered an Android banking Trojan, dubbed Ginp, that steals both login credentials and credit card data.

Security experts at ThreatFabric discovered an Android banking Trojan, dubbed Ginp, that steals both login credentials and credit card data.

Ginp was first spotted in October by Kaspersky while targeting Spain and UK, but researchers believe it has been active around since June. The malware has already received five major updates, with the latest one borrowing pieces of code from the Anubis banking Trojan.

“What makes Ginp stand out is that it was built from scratch being expanded through regular updates, the last of which including code copied from the infamous Anubis banking Trojan, indicating that its author is cherry-picking the most relevant functionality for its malware. In addition, its original target list is extremely narrow and seems to be focused on Spanish banks.” reads the report published by ThreatFabric. “Last but not least, all the overlay screens (injects) for the banks include two steps; first stealing the victim’s login credentials, then their credit card details.”

The initial version of the malware dates back to early June 2019, it was masquerading as a “Google Play Verificator” app and it was developed to steal victim’s SMS messages. In August, its authors implemented some banking-specific features and started spreading the malicious code as fake “Adobe Flash Player” apps.

The malware abuses the Accessibility Service to perform overlay attacks and become the default SMS app.

By using overlay attacks as part of a generic credit card grabber the malware targets social and utility apps, including Google Play, Facebook, WhatsApp, Chrome, Skype, Instagram, and Twitter.

A more recent was also able to target Snapchat and Viber applications.

Experts noticed that the third version spotted in the wild includes the source code of the Anubis Trojan that was leaked earlier this year, this variant no longer includes social apps in the target list, instead, it focuses on banks.

“A remarkable fact is that all the targeted apps relate to Spanish banks, including targets never seen before in any other Android banking Trojan. The 24 target apps belong to 7 different Spanish banks: Caixa bank, Bankinter, Bankia, BBVA, EVO Banco, Kutxabank and Santander.” continues the analysis.

The latest version, discovered this month by the experts, only implemented minor changes that seem to be unused. The author also implemented a feature to grant the app the device admin permission to perform tasks such as sending messages and making calls.

“When the malware is first started on the device it will begin by removing its icon from the app drawer, hiding from the end user. In the second step it asks the victim for the Accessibility Service privilege.” continues the analysis.

Once the user has granted the requested Accessibility Service privilege, Ginp starts by granting itself additional permissions, including permissions to send messages and make calls without any user interaction. At this point, the malware wait for commands from the C2.

Ginp is currently implementing the following features, allowing it to remain under the radar:

• Overlaying: Dynamic (local overlays obtained from the C2)
• SMS harvesting: SMS listing
• SMS harvesting: SMS forwarding
• Contact list collection
• Application listing
• Overlaying: Targets list update
• SMS: Sending
• Calls: Call forwarding
• C2 Resilience: Auxiliary C2 list
• Self-protection: Hiding the App icon
• Self-protection: Preventing removal
• Self-protection: Emulation-detection

Ginp leverages the Accessibility Service to determine the application that is running in the foreground, then compare its package name with the ones in the target list, and shows the related overlay.

The bot sends the package name to the C2 that in turn provides an HTML page that is loaded into the WebView-based overlay.

Experts believe Ginp will continue to evolve in the next months by implementing new capabilities. Experts believe that the authors of the malware are planning an expansion to their operations to other countries.

“Ginp is a simple but rather efficient banking Trojan providing the basic functionality to be able to trick victims into delivering personal information. In a 5-month timespan, actor managed to create a Trojan from scratch which will presumably continue evolving offering new features such as keylogging, back-connect proxy or RAT capabilities.” continues the report.

“Ginp’s unusual target selection is not just about its focus on Spanish banks but also the wide selection of targeted apps per bank. The fact that the overlay screens are almost identical to the legitimate banking apps suggests that the actors might be very familiar with the Spanish banking applications and might even be accustomed to the language,”

Pierluigi Paganini

(SecurityAffairs – Ginp, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]