A new strain of mobile banking trojan called Ginp has been constantly refined to collect login credentials and credit card details.
Starting in early June as an SMS stealer that delivered the victim’s incoming and outgoing messages to a command and control (C2) server, the mobile malware slowly changed focus towards payment card details.
Moving to banking apps
Ginp was first seen in late October by Tatyana Shishkova, Android malware analyst at Kaspersky, who noted that the trojan disguised as Adobe Flash Player and targeted users in Spain and the U.K.
Researchers at Amsterdam-based cybersecurity company ThreatFabric tracking the malware say that Ginp went through clear stages of evolution over the past five months and it initially posed as a “Google Play Verifcator” app.
The first banking trojan features appeared in a second version in August, which took the guise of Adobe Flash Player and was able to run overlay attacks.
Ginp could also become the default SMS app by registering itself, with the consent of the user, as an accessibility service, which is designed to help people with various disabilities.
After getting accessibility privileges, the malware can grant itself additional permissions without user interaction. Making calls and sending messages are among the capabilities gained this way.
At an earlier development stage, the malware was still not a full-blown banking trojan as the “overlay consisted of a generic credit card grabber targeting social and utility apps, such as Google Play, Facebook, WhatsApp, Chrome, Skype, Instagram, and Twitter.”
The third iteration of Ginp gained a fresh overlay target list that targeted only banking apps. This release also included code from Anubis banking trojan. All the banks in the list were Spanish and included big names: Caixa, Santander, EVO Banco, BBVA, Bankinter, Bankia, and Kutxabank.
Since retrieving all SMS received by the victim is on the list of commands supported by Ginp, the threat actor can easily grab the two-factor authentication (2FA) codes some banks send out to prevent fraudulent logins.
Borrowing from Anubis
The Anubis source code was leaked earlier this year and some of it was soon added to other malware. In a report in August, ThreatFabric notes that also running with code borrowed from Anubis is Cerberus, a banking trojan that got into the malware-as-a-service business.
Unlike other Android banking trojans that are mere clones of Anubis, Ginp was developed from scratch and just reuses code from its predecessor. Supporting this conclusion are the names for various Android components, which are the same in both threats, as well as the code behind them.
Below is a comparison of the names of receivers and services used in Ginp and Anubis that clearly shows a common origin.
This is a superficial check, though, so the researchers went deeper with their analysis. Looking at the code for the components shows that their reasoning is correct and parts of Anubis are present in Ginp.
Further support of this theory is the handling of configuration values in the variables of a class, which in the latest Ginp version changed to SharedPreferences, some of the keys being the same as in Anubis, the researchers explain.
A new version of Ginp with features that are still inactive was detected this month, showing that its developers keep improving their product.
The overlays used in the newest iteration analyzed are “almost identical to the legitimate banking apps,” indicating that the author(s) know their targets very well. Ginp comes with a set of features that is common among mobile bankers but researchers warn that its capabilities can extend if more code is borrowed from Anubis or other malware. More specifically, the researchers refer to back-connect proxy, screen-streaming, and remote access
For the moment, only Spanish banks have been seen on the target list. However, the actor may extend to apps used in other countries since the path used the inject request has a country code.