Researchers exposed a new form of banking malware named “Ginp” targeting Android users. According to specialists from ThreatFabric, attackers use Ginp malware to steal users’ bank credentials, messages, and credit/debit card details, focusing on the Spanish banks’ customers.
ThreatFabric stated the malware, which was first identified by Tatyana Shishkova from Kaspersky in October 2019, is still active with five different versions of the Trojan released in the last 5 months (June – November 2019).
It’s said that Ginp was built from scratch and included a code copied from the infamous Anubis banking Trojan.
How it works?
When the malware is injected on the device it will start by removing its icon from the app folder. It will then ask the victim for the Accessibility Service privilege. Once the user grants the requested Accessibility Service privilege, Ginp grants itself additional permissions required to send messages and make calls, without the victim knowing.
“The most recent version of Ginp has the same capabilities as most other Android banking Trojans, such as the use of overlay attacks, SMS control and contact list harvesting. Overall, it has a common feature list, but it is expected to expand in future updates. Since Ginp is already using some code from the Anubis Trojan, it is quite likely that other, more advanced features from Anubis or other malware, such as a back-connect proxy, screen-streaming and RAT will also be added in the future,” ThreatFabric said in a statement.
According to ThreatFabric, Ginp embeds a set of features, which include:
- Overlaying: Dynamic (local overlays obtained from the C2)
- SMS harvesting: SMS listing
- SMS harvesting: SMS forwarding
- Contact list collection
- Application listing
- Overlaying: Targets list update
- SMS: Sending
- Calls: Call forwarding
- C2 Resilience: Auxiliary C2 list
- Self-protection: Hiding the App icon
- Self-protection: Preventing removal
- Self-protection: Emulation-detection
Security pros opined that Ginp is an efficient banking Trojan used to trick victims into delivering sensitive information. “Ginp’s unusual target selection is not just about its focus on Spanish banks but also the wide selection of targeted apps per bank. The fact that the overlay screens are almost identical to the legitimate banking apps suggests that the actors might be very familiar with the Spanish banking applications and might even be accustomed to the language,” ThreatFabric added.