Security experts at ThreatFabric discovered an Android banking Trojan, dubbed Ginp, that steals both login credentials and credit card data.
“What makes Ginp stand out is that it was built from scratch being expanded through regular updates, the last of which including code copied from the infamous Anubis banking Trojan, indicating that its author is cherry-picking the most relevant functionality for its malware. In addition, its original target list is extremely narrow and seems to be focused on Spanish banks.” reads the report published by ThreatFabric. “Last but not least, all the overlay screens (injects) for the banks include two steps; first stealing the victim’s login credentials, then their credit card details.”
The initial version of the malware dates back to early June 2019, it was masquerading as a “Google Play Verificator” app and it was developed to steal victim’s SMS messages. In August, its authors implemented some banking-specific features and started spreading the malicious code as fake “Adobe Flash Player” apps.
The malware abuses the Accessibility Service to perform overlay attacks and become the default SMS app.
By using overlay attacks as part of a generic credit card grabber the malware targets social and utility apps, including Google Play, Facebook, WhatsApp, Chrome, Skype, Instagram, and Twitter.
A more recent was also able to target Snapchat and Viber applications.
Experts noticed that the third version spotted in the wild includes the source code of the Anubis Trojan that was leaked earlier this year, this variant no longer includes social apps in the target list, instead, it focuses on banks.
“A remarkable fact is that all the targeted apps relate to Spanish banks, including targets never seen before in any other Android banking Trojan. The 24 target apps belong to 7 different Spanish banks: Caixa bank, Bankinter, Bankia, BBVA, EVO Banco, Kutxabank and Santander.” continues the analysis.
The latest version, discovered this month by the experts, only implemented minor changes that seem to be unused. The author also implemented a feature to grant the app the device admin permission to perform tasks such as sending messages and making calls.
“When the malware is first started on the
Once the user has granted the requested Accessibility Service privilege, Ginp starts by granting itself additional permissions, including permissions to send messages and make calls without any user interaction. At this point, the malware
Ginp is currently implementin
Experts believe Ginp will continue to evolve in the next months by implementing new capabilities. Experts believe that the authors of the malware are planning an expansion
(SecurityAffairs – Ginp, malware)