The Ginp Trojan is an Android malware which has been identified by a security researcher in one of its recent attack campaigns. The samples which are believed to be launched in the attack campaign date to the end of October 2019 however some of the first instances of the threat have been detected in June. This data shows that the ransomware is actively being developed by the hackers. Ever since its first release five major updates are known.
It is primarily spread via mobile apps hosted on Google Play and other repositories. As soon as it is installed on a given device it will launch a banking malware engine which will harvest financial data and be used for various crimes.
The Ginp Trojan Is Among The Most Dangerous Banking Malware For Android
Android malware are one of the most prevalent threats that end users face today. This is due to the fact that many hacking collectives have become adept at developing viruses for the mobile operating system. The platform has seen a lot of threats and according to the available information it is based on the well-known Anubis malware. The first versions of this Trojan were released on the Google Play store and other repositories under the name Google Play Verificator in an attempt to scam the visitors into installing it. This tactic revolves about the common technique of creating dangerous application that are masked as useful system utilities.
In the case of these first samples the Ginp Trojan didn’t possess much of the rich functionality for which it is known. When launched it will harvest the stored SMS messages and send it to a specified hacker-controlled server. Only a few months after the initial version the criminals have created a much more updated Ginp Trojan release.
The Ginp Trojan And Its Latest Release
News broke about the new version of the threat which features a much more feature-rich behavior pattern. This time the malware carriers that host it are called Adobe Flash Player and they can be hosted both on Google Play and on other repositories. If the criminals intend to create an ever larger distribution campaign they can use other places where the virus files (in archives or APK form) can be hosted:
- Documents — Macro-Infected Documents can be used to deliver the virus file to target devices. When the victims open them up a prompt will ask them to enable them in order to correctly view the contents. The macros are special scripts that will extract and run the virus code without the user noticing.
- Other APK Packages — The hackers can create a variety of other dangerous app bundles. Usually the most popular applications are targeted as their identity can be easily faked.
- Malware Third-Party Hosts — Ginp Trojan files can be hosted on hacker-maintained web sites and links to it added to social network profiles of fake or hacked accounts. Usually interactive code is placed on the web sites which will constantly “nag” the site visitors with all types of contents (banners, pop-ups and redirects) into downloading or running a file.
Given the fact that the Ginp Trojan is classified as a banking Trojan one of the most widely used strategies would be to devise phishing campaigns. They can use both email messages or hacker-controlled sites that are found on similar sounding domain names to well-known services or companies.
Capabilities Of The Ginp Trojan on Android
Having access to the various Ginp Trojan samples and the latest releases we can state that the current versions are advanced. While there is no information available about the hacking collective about it, the criminals have been able to devise a rich list of features.
As soon as the threat is executed on a given machine the app will remove its icon from the launcher which will make it impossible for them to access it using the ordinary way. The next step is to spawn a prompt that will ask the victims to enable the Accessibility Service. This may appear as an ordinary and innocent looking request however this will allow the main infection engine to carry out more dangerous actions. The full list of functionality found in the latest versions is the following:
- Sending of a SMS message to a specified number
- Updating the URL of the hacker-controlled server
- Disabling of the virus
- Updating the refresh interval
- List emptying of the overlayed apps
- Target List Update
- Device administration request of privileges
- Retrieval of SMS messages
- Disabling the user attempts of overcoming the prompt trigger
- Setting a malware as the default SMS app
- Removing the malware from the default SMS app
- Enabling the Overlay attacks
- Disabling the Overlay attacks
- Enabling the Google Play Overlay
- Disabling the Google Play Overlay
- Debug Mode Start
- Log Files Retrieval
- Debug Mode Disable
- List all Installed Applications
- List all Contacts
- Sends SMS to multiple numberes
- Package Update
- New Overlay Addition
- Call Forwarding
- Permissions Request Start
Overview of a Ginp Trojan Attack
Like other similar banking Trojans the engine will automatically scan the infected Android device for commonly used social network apps or mobile banking services. The virus will setup an invisible overlay on top of the which means that all user interactions will be controlled and monitored by the hackers. Using a special network connection all data will be transmitted to the criminals in real-time. The Ginp Trojan as a sophisticated Android threat allows the criminal group to also carry out an extensive list of features (see above).
The intention is to monitor for the user input of personal information and payment card details. The analyzed samples have been found to be compatible with the following apps:
Facebook, WhatsApp, Skype, Twitter, Chrome, Instagram, Snapchat and Viber
A list of the mobile banking applications which are supported is the following:
Play Store, CaixaBank Pay: Mobile Payments , CaixaBank, CaixaBank Sign – Digital Coordinate Card, CaixaBank Tablet, imaginBank – Your mobile bank, Family, Bankinter Móvil, Bankinter Wallet, COINC Wallet, bankintercard, Bankia, Bankia Wallet, Bankia Tablet, BBVA Spain, BBVA Net Cash | ES & PT, EVO Banco móvil, EVO Bizum, Kutxabank, KutxabankPay, Santander, Santander Tablet, Confirming Santander and Santander Cash Nexus.
The overlay can present a credit card prompt which in some situations can be perceived as legitimate and safe. The information harvesting engine may also be updated to support many of the popular banking apps. Some of the captured samples appear to include functional support of solutions operated by Spanish financial institutions. As the attacks continue to unfold we anticipate that more detailed information will become available on the identity of the hackers as well as the compromised targets.