Ginp, a mobile banking Trojan was constantly refined to collect login credentials and credit card details. This mobile malware was initially started as an SMS stealer that delivered the victim’s incoming and outgoing messages to a command and control (C2) server. Now it focuses on payment card details.
Ginp was first found in October by Tatyana Shishkova, Android malware analyst at Kaspersky,
According to the researchers at Amsterdam-based cybersecurity company ThreatFabric, Ginp has evolved through stages over the past five months and it initially posed as a “Google Play Verificator” app.
The banking trojan features first appeared in a second version, disguised as Adobe Flash Player and was able to run overlay attacks.
Ginp was also able to become the default SMS app by registering itself, with the consent of the user, as an accessibility service, designed to help people with various disabilities.
Once the malware gets the accessibility privileges, it can grant itself additional permissions without any interaction from the user. It includes abilities like making calls and sending messages.
In the development stage, the malware was still not a fully capable banking trojan as the overlay consisted of a generic credit card grabber targeting social and utility apps, such as Google Play, Facebook, WhatsApp, Chrome, Skype, Instagram, and Twitter.
The third version of Ginp had target list that aimed at only banking apps. This version also had code from Anubis banking trojan. All the banks in the list were Spanish and included big names like Caixa, Santander, EVO Banco, BBVA, Bankinter, Bankia, and Kutxabank.
Ginp could retrieve all SMS received by the victim and so it was easy for an attacker to easily gather the two-factor authentication (2FA) codes sent by the banks to prevent fraudulent logins.
The Anubis source code when leaked was added to other malware and Ginp also reused the code, even though it was developed from scratch.
A new version of Ginp having some inactive features was detected this month indicating that its developers are continuing to update their product.
The overlays used in the latest version are almost identical to the legitimate banking apps. Ginp has features common to mobile bankers but researchers warn that its capabilities can extend if more code is borrowed from Anubis or other malware.
At the time being, only Spanish banks have been on the target list. However, it may be extended to apps used in other countries since the path used to inject request has a country code.