One of the most important developments in privacy, both for private individuals and businesses, has been the Virtual Private Network or VPN. VPNs are simple, elegant privacy solutions that make the internet safer for their users by making it harder for hackers and cybercriminals to compromise their systems and providing [...]
ThreatFabric analysts have recently investigated an interesting new strain of banking malware.
The malware was first spotted by
Tatyana Shishkova from
Kaspersky by end October 2019, but actually dates back to June 2019. It is still under active
development, with at least 5 different versions of the Trojan released within the last 5
months (June – November 2019).
What makes Ginp stand out is that it was built from scratch being expanded through regular
updates, the last of which including code copied from the infamous Anubis banking Trojan,
indicating that its author is cherry-picking the most relevant functionality for its malware.
In addition, its original target list is extremely narrow and seems to be focused on Spanish
banks. Last but not least, all the overlay screens (injects) for the banks include two steps;
first stealing the victim’s login credentials, then their credit card details. Although
multi-step overlays are not something new, their usage is generally limited to avoid raising
suspicion.
The initial version of the malware dates back to early June 2019, masquerading as a “Google
Play Verificator” app. At that time, Ginp was a simple SMS stealer whose purpose was only to
send a copy of incoming and outgoing SMS messages to the C2 server.
A couple of months later, in August 2019, a new version was released with additional
banking-specific features. This and following versions were masquerading as fake “Adobe
Flash Player” apps. The malware was able to perform overlay attacks and become the default
SMS app through the abuse of the Accessibility Service. The overlay consisted of a generic
credit card grabber targeting social and utility apps, such as Google Play, Facebook,
WhatsApp, Chrome, Skype, Instagram and Twitter.
Although early versions had some basic code and string obfuscation, protection of the third
version of the malware was enhanced with the use of payload obfuscation. The capabilities
remained unchanged, but a new endpoint was added to the Trojan C2 allowing it to handle the
generic card grabber overlay and specific target overlays (banking apps) separately. In
addition, the credit card grabber target list was expanded with Snapchat and Viber.
In the third version spotted in the wild, the author introduced parts of the source code of
the infamous Anubis Trojan (which was leaked earlier in 2019). This change came hand in hand
with a new overlay target list, no longer targeting social apps, but focusing on banking
instead. A remarkable fact is that all the targeted apps relate to Spanish banks, including
targets never seen before in any other Android banking Trojan. The 24 target apps belong to
7 different Spanish banks: Caixa bank, Bankinter, Bankia, BBVA, EVO Banco, Kutxabank and
Santander. The specific apps can be found in the target list in the appendix.
The most recent version of Ginp (at the time of writing) was detected at the end of November
2019. This version has some small modifications which seems to be unused, as the malware
behaviour is the same as the previous version. The author has introduced the capability to
grant the app the device admin permission. Additionally new endpoint was added that seems
related to downloading a module for the malware, probably with new features or configuration.
When the malware is first started on the device it will begin by removing its icon from the app
drawer, hiding from the end user. In the second step it asks the victim for the Accessibility
Service privilege as visible in following screenshot:
Once the user grants the requested Accessibility Service privilege, Ginp starts by granting
itself additional permissions, such as (dynamic) permissions required in order to be able to
send messages and make calls, without requiring any further action from the victim. When done,
the bot is functional and ready to receive commands and perform overlay attacks.
The commands supported by the most recent version of the bot are listed below. As can be
observed, the possibilities offered by the bot are pretty common.
| Command | Description |
|---|---|
| SEND_SMS | Send an SMS from the bot to a specific number |
| NEW_URL | Update the C2 URL |
| KILL | Disable the bot |
| PING_DELAY | Update interval between each ping request |
| CLEAN_IGNORE_PKG | Empty list of overlayed apps |
| WRITE_INJECTS | Update target list |
| READ_INJECTS | Get current target list |
| START_ADMIN | Request Device Admin privileges |
| ALL_SMS | Get all SMS messages |
| DISABLE_ACCESSIBILITY | Stop preventing user from disabling the accessibility service |
| ENABLE_ACCESSIBILITY | Prevent user from disabling the accessibility service |
| ENABLE_HIDDEN_SMS | Set malware as default SMS app |
| DISABLE_HIDDEN_SMS | Remove malware as default SMS app |
| ENABLE_EXTENDED_INJECT | Enable overlay attacks |
| DISABLE_EXTENDED_INJECT | Disable overlay attacks |
| ENABLE_CC_GRABBER | Enable the Google Play overlay |
| DISABLE_CC_GRABBER | Disable the Google Play overlay |
| START_DEBUG | Enable debugging |
| GET_LOGCAT | Get logs from the device |
| STOP_DEBUG | Disable debugging |
| GET_APPS | Get installed applications |
| GET_CONTACTS | Get contacts |
| SEND_BULK_SMS | Send SMS to multiple numbers |
| UPDATE_APK | Not implemented |
| INJECT_PACKAGE | Add new overlay target |
| CALL_FORWARD | Enable/disable call forwarding |
| START_PERMISSIONS | Starts request for additional permissions(Accessibility privileges, battery optimizations bypass, dynamic permissions) |
The most recent version of Ginp has the same capabilities as most other Android banking Trojans,
such as the use of overlay attacks, SMS control and contact list harvesting. Overall, it has a
fairly common feature list, but it is expected to expand in future updates. Since Ginp is
already using some code from the Anubis Trojan, it is quite likely that other, more advanced
features from Anubis or other malware, such as a back-connect proxy, screen-streaming and
RAT will also be added in the future.
Ginp embeds the following set of features, allowing it to remain under the radar and
successfully perform attacks:
At the end of February the actors behind Ginp added screen capture capabilities to their Trojan. Like previously added functionality, the code is borrowed from the leaked
Anubis Trojan source code. It enables the bot to stream screenshots and send them to the C2 so that actors can see what is happening on the screen of the infected device.
Ginp uses the Accessibility Service to check which application runs is the foreground. If the
package name of the foreground app is included in the target list, an overlay is shown. The
WebView-based overlay is loading an HTML page provided by the C2 in response to the package
name provided by the bot.
The following code snippet shows how the WebView is created.
Something that makes Ginp special is that all of its overlay screens for banking apps are
consist of multiple steps, first stealing the victim’s login credentials, then stealing
the credit card details (to “validate” the user identity), as shown in the screenshots
hereafter:
The following code snippet shows that after the second overlay is filled-in and validated,
it disappears and the targeted application is added to the list of packages names to be
ignored for future overlays attacks.
The initial version of Ginp had a generic credit card grabber overlay screen used for all
targeted applications. Still included in the last versions, this screen is only used to
overlay the official Google Play Store app. More apps could be added to the grabber target
list in the future, such as the ones that were targeted in older versions:
The following screenshot shows the generic card grabber overlay screen:
The current active target list is available in the appendix, containing a total of 24 unique
targets. The following screenshots show what type of information is collected in both steps
of the overlay attack:
Once the Anubis bot code got leaked, it was just a matter of time before new banking Trojans
based on Anubis would surface. When analyzing the Ginp’s recent samples, ThreatFabric
analysts found some similarities with the famous Android banking Trojan. Based on the
evolution of Ginp it is clear that it isn’t based on Anubis, but rather reuses some of its
code. Below are some of the elements showing the relation.
The names used for Android components are similar:
When analyzing these components, similarities were found in the code of both malware families:
Another major change that indicated that the actor copied code from the Anubis Trojan is the
way of handling configuration values. Previous versions were storing config values within the
variables of a class, while the latest version is using SharedPreferences with some of the
keys being identical to those used by Anubis:
Ginp is a simple but rather efficient banking Trojan providing the basic functionality to be
able to trick victims into delivering personal information. In a 5-month timespan, actor
managed to create a Trojan from scratch which will presumably continue evolving offering new
features such as keylogging, back-connect proxy or RAT capabilities.
Ginp’s unusual target selection is not just about its focus on Spanish banks but also the wide
selection of targeted apps per bank. The fact that the overlay screens are almost identical
to the legitimate banking apps suggests that the actors might be very familiar with the
Spanish banking applications and might even be accustomed to the language.
Although the current target list is limited to Spanish apps, it seems that the actor is taking
into account that the bot should also be able to target other countries, seeing that the path
used in the inject requests contains the country code of the targeted institution. This could
indicate that actor already has plans in expanding the targets to applications from different
countries and regions.
Our Mobile Threat Intelligence (MTI) solution provides a strategic and contextual overview of
the threat-landscape, as well as in-depth tactical information to make the intelligence
actionable.
MTI prevents financially motivated threat actors from being successful.
Our Client Side Detection (CSD) solution provides a real-time risk overview of the Web and
Mobile channels, by detecting known and unknown threats.
By doing so, CSD enables immediate, automated and scalable online fraud prevention and risk
remediation.
Some of the latest Ginp samples found in the wild:
| App name | Package name | SHA-256 hash |
|---|---|---|
| Google Play Verificator | sing.guide.false | 0ee075219a2dfde018f17561467272633821d19420c08cba14322cc3b93bb5d5 |
| Google Play Verificator | park.rather.dance | 087a3beea46f3d45649b7506073ef51c784036629ca78601a4593759b253d1b7 |
| Adobe Flash Player | ethics.unknown.during | 5ac6901b232c629bc246227b783867a0122f62f9e087ceb86d83d991e92dba2f |
| Adobe Flash Player | solution.rail.forward | 7eb239cc86e80e6e1866e2b3a132b5af94a13d0d24f92068a6d2e66cfe5c2cea |
| Adobe Flash Player | com.pubhny.hekzhgjty | 14a1b1dce69b742f7e258805594f07e0c5148b6963c12a8429d6e15ace3a503c |
| Adobe Flash Player | sentence.fancy.humble | 78557094dbabecdc17fb0edb4e3a94bae184e97b1b92801e4f8eb0f0626d6212 |
The current list of apps observed to be targeted by Ginp contains a total of 24
unique applications as seen below. This list is expected to grow in the future.
| Package name | Application name |
|---|---|
| com.android.vending | Play Store |
| es.lacaixa.hceicon2 | CaixaBank Pay: Mobile Payments |
| es.lacaixa.mobile.android.newwapicon | CaixaBank |
| es.caixabank.caixabanksign | CaixaBank Sign – Digital Coordinate Card |
| es.caixabank.mobile.android.tablet | CaixaBank Tablet |
| com.imaginbank.app | imaginBank – Your mobile bank |
| es.lacaixa.app.multiestrella | Family |
| com.bankinter.launcher | Bankinter Móvil |
| com.bankinter.bkwallet | Bankinter Wallet |
| com.bankinter.coincwallet | COINC Wallet |
| com.bankinter.bankintercard | bankintercard |
| es.cm.android | Bankia |
| com.bankia.wallet | Bankia Wallet |
| es.cm.android.tablet | Bankia Tablet |
| com.bbva.bbvacontigo | BBVA Spain |
| com.bbva.netcash | BBVA Net Cash | ES & PT |
| es.evobanco.bancamovil | EVO Banco móvil |
| com.redsys.bizum | EVO Bizum |
| com.kutxabank.android | Kutxabank |
| es.redsys.walletmb.app.kutxa.pro | KutxabankPay |
| es.bancosantander.apps | Santander |
| es.banconsantander.app.tablet | Santander Tablet |
| es.bancosantander.android.confirming | Confirming Santander |
| com.tm.sanstp | Santander Cash Nexus |
This content was originally published here.
Security firm Check Point said it uncovered an Iranian hacking group that has developed special Android malware capable of intercepting and stealing two-factor authentication (2FA) codes sent via SMS. The ...
Ad-light, Malware-heavy Since December 17, Forbes has been running an experiment wherein some fraction of visitors who are running ad blockers are blocked from accessing Forbes articles until they disable their ad blocker. In exchange, Forbes promises an “ad-light experience”: A Forbes article published yesterday claims that this interstitial resulted in 42.4% of visitors turning ...
