Ginp
Ginp appeared on the threat landscape in the second half of 2019 as a simple SMS stealer, completely written from scratch. It is not unusual to see actors attempt to create new malware now and then, but in this particular case the malware started to evolve rapidly, going through frequent development cycles.
In the months following its first appearance, it has adopted techniques used by mature banking malware, sometimes even reusing code snippets from existing malware such as Anubis. By fall 2019, Ginp was already a fully-fledged banking Trojan, capable of performing credit card and credential theft using overlay attacks.
The frequency at which this Trojan is evolving is quite surprising: authors have issued more than 10 different variants of the bot in 4 months. Here we highlight the important mutations that Ginp took in that time span:
Date | Description of changes |
|---|---|
June 2019 | Simple SMS stealer |
August 2019 | Generic card grabber overlay capability and abuse of Accessibility Service |
October 2019 | Payload obfuscation and card grabber overlays specific per target |
November 2019 | Complete overlay capability with credential theft and reuse of Anubis Trojan code |
November 2019 | Possibility to request additional permissions and bypass battery optimization rules |
December 2019 | Overlay attacks through push notifications |
December 2019 | Doze mode and SharedPreferences updates through command |
December 2019 | Keylogging capability |
December 2019 | Added show alert command and delays for specific features such as granting permissions and injects |
December 2019 | Expanded list of targets |
December 2019 | Added get phone number command |
December 2019 | Hard-coded targets changed from banking apps to social ones |
January 2020 | Added androidx library and stop notifications, call forward, send fake SMS and ringtone commands |
January 2020 | Added get running processes and get current activity commands |
Another aspect that makes Ginp stand out is the Modus Operandi of its overlay attacks. As visible in the following screenshots of overlays, a remarkable differentiator of Ginp is that all its overlay screens for banking apps consist of at least two steps. The first page of the overlay is used to steal the login credentials, the second one to steal the credit card details. The social-engineering trick is encouraging the victim to "validate" its identity and therefore provide all the previously mentioned information.
The following screenshots show a set of overlays used by Ginp:
So far authors of the Trojan seemed to keep the Trojan private. The actual narrow and very focused target list (see appendix) indicate a certain knowledge and interest in Spanish banks, which could indicate authors’ familiarity with the country.
Although capable of stealing basic personal information from victims, Ginp is yet still lacking functionality when it comes to remaining undetected while performing fraud. Although there is an actual gap, looking at how fast and frequent new versions of the Ginp Trojan are released, there is a high chance that the challenge will be taken care of soon. We can expect Ginp to evolve further in order to circumvent fraud detection measures and therefore also offer functionalities such as screencast, back connect proxy and possibly even RAT.
Samples
SHA-256 |
|---|
f3c6e10744efd192c1b137751dbb9941a01fe548eb4f08c3829e1f54793f0347 |
74180939b0340359eb6c4583e6fed306759ff2fad214a64946ddb17cc0aec5dd |
66f83000c34469682d966fb4053534eb645b32651a81ec5aca95b23987ce3456 |
Target list
Package name | Application name |
|---|---|
es.lacaixa.hceicon2 | CaixaBank Pay: Mobile Payments |
es.lacaixa.mobile.android.newwapicon | CaixaBank |
es.caixabank.caixabanksign | CaixaBank Sign - Digital Coordinate Card |
es.caixabank.mobile.android.tablet | CaixaBank Tablet |
com.imaginbank.app | imaginBank - Your mobile bank |
es.lacaixa.app.multiestrella | Family |
com.tecnocom.cajalaboral | Banca Móvil Laboral Kutxa |
es.caixageral.caixageralapp | Banco Caixa Geral España |
com.abanca.bancaempresas | ABANCA Firma Empresas |
com.bankinter.launcher | Bankinter Móvil |
com.bankinter.bkwallet | Bankinter Wallet |
com.bankinter.coincwallet | COINC Wallet |
com.bankinter.bankintercard | bankintercard |
es.cm.android | Bankia |
com.bankia.wallet | Bankia Wallet |
es.cm.android.tablet | Bankia Tablet |
com.bbva.bbvacontigo | BBVA Spain |
com.bbva.netcash | BBVA Net Cash | ES & PT |
es.evobanco.bancamovil | EVO Banco móvil |
com.redsys.bizum | EVO Bizum |
com.kutxabank.android | Kutxabank |
es.redsys.walletmb.app.kutxa.pro | KutxabankPay |
es.banconsantander.app.tablet | Santander Tablet |
es.bancosantander.apps | Santander |
es.bancosantander.android.confirming | Confirming Santander |
com.tm.sanstp | Santander Cash Nexus |
es.caixagalicia.activamovil | ABANCA- Banca Móvil |
com.ebay.mobile | eBay - Online Shopping - Buy, Sell, and Save Money |
net.inverline.bancosabadell.officelocator.android | Banco Sabadell App. Your mobile bank |
com.bancsabadell.wallet | Sabadell Wallet |
net.inverline.bancosabadell.officelocator.activobank | ActivoBank |
com.bancosabadell.bsagro | Sabadell Agro |
com.bancosabadell.redsys.mpos.phone | TPV Móvil Sabadell Phone |
com.bancosabadell.zonacomerciossabadell | Sabadell Zona Comercios |
com.cajasur.android | Cajasur |
com.db.pbc.mibanco | Mi Banco db |
com.grupocajamar.wefferent | Grupo Cajamar |
www.ingdirect.nativeframe | ING España. Banca Móvil |
com.indra.itecban.mobile.novobanco | NBapp Spain |
es.openbank.mobile | Openbank – banca móvil |
es.pibank.customers | Pibank |
app.wizink.es | WiZink, tu banco senZillo |
es.univia.unicajamovil | UnicajaMovil |
com.indra.itecban.triodosbank.mobile.banking | Triodos Bank. Banca Móvil |
com.android.vending | Play Store |
com.viber.voip | Viber Messenger |
com.google.android.youtube | YouTube |
com.snapchat.android | Snapchat |
com.microsoft.office.lync15 | Skype for Business for Android |
com.skype.m2 | Skype Lite - Free Video Call & Chat |
com.skype.raider | Skype - free IM & video calls |
com.instagram.lite | Instagram Lite |
com.instagram.android | |
com.whatsapp.w4b | WhatsApp Business |
com.whatsapp | WhatsApp Messenger |
com.facebook.mlite | Messenger Lite: Free Calls & Messages |
com.facebook.lite | Facebook Lite |
com.facebook.orca | Messenger – Text and Video Chat for Free |
com.facebook.katana | |
com.ziraat.ziraatmobil | Ziraat Mobile |
alior.bankingapp.android | Us³ugi Bankowe |
pl.pkobp.iko | IKO |