A newly found Android banking trojan with a narrow goal list and two-stage overlays is capable of robbing login and credit card credentials, reports ThreatFabric.
Dubbed Ginp and discovered in October, the malware is around since June and since then has had five major updates with the new version copied from the trojan Anubis.
Ginp was originally used as a “Google Play Verifier” app and based on stolen SMS messages. It was revamped in August with different banking features and started posting as fake “Adobe Flash Player” applications.
The malware will execute overlay attacks and set up the default SMS app by using the Accessibility Program. His standard credit card collector targeted Google Play, Facebook, WhatsApp, Chrome, Skype, Instagram, and Twitter services. A third version added Snapchat and Viber to the target list.
The next update introduced Anubis code— the malware source code has leaked earlier in the year— and changed to a new banking-centered overlay target list. It now covers 24 apps from seven Spain banks: CaixaBank, Bankinter, Bankia, BBVA, EVO Banco, Kutxabank and Santander.
Detected this month, the newest malware version brings only minor modifications, including a new module-related endpoint, probably with new features or configurations.
When running on the victim’s phone, it removes the icon in the app drawer and then demands the right of the Accessibility Program. Once these rights are granted, the malware gives itself additional permissions to send and make calls.
On the basis of the orders you have received, Ginp can send or harvest SMS message, update the Command and Control URL (C&C), update the target list, request administrative privileges, configure itself for the default SMS app, prevent users from deactivating accessibility services, allow overlays, get apps or contacts installed, enable call forwarding, hide and prevent removal, etc.
In addition to demanding the victim’s login credentials, malware overlays demand credit card details to verify the user’s identity. After this second step has been completed, future attacks will disregard the successfully targeted request.
Simple but effective, Ginp is expected to evolve, probably adding more Anubis capabilities. Within 5 months, its authors have demonstrated they can create a Trojan with powerful capabilities from scratch.
“Ginp’s unique target choice not only focuses on Spanish banks but also on a broad range of targeted applications per account. The fact that the overlay displays are almost similar to the legal bank applications indicates that investors are familiar with and may even be accustomed to the Spanish banking applications, “said ThreatFabric.
Seeing that the route of implementation contains the country code of the target organization, ThreatFabric assumes that the writer of malware already plans to expand to other countries or regions.