Researchers at Dutch cybersecurity company ThreatFabric are tracking an Android trojan that’s been rapidly improving in recent months. Dubbed Ginp, it uses overlay attacks to steal login credentials and payment card details from banking app users.
The trojan was first spotted by Kaspersky in October, but has according to ThreatFabric been in the wild since June. «What makes Ginp stand out is that it was built from scratch being expanded through regular updates, the last of which including code copied from the infamous Anubis banking trojan, indicating that its author is cherry-picking the most relevant functionality for its malware», ThreatFabric said in their research report.
The best way to prevent user-data leakage, and to protect your banking apps from trojans using accessibility services and untrusted screen readers, is to implement Promon’s In-App Protection technology.
A developing threat
Initially, the trojan used a generic overlay window that asked users for payment card information when opening apps like Google Play, Facebook and WhatsApp. Subsequently, payload obfuscation was added to make detection harder, as well as dedicated overlays for specific banking apps. The latest version includes code from Anubis, leaked earlier this year, to enhance its overlay attacks. It now targets 24 apps from seven Spanish banks with unique overlays for each app – dynamically loaded from a command-and-control server.
Although the current focus is on Spanish banks, this might change as attackers build overlays for other banking apps. «Although the actual targets are Spanish banking applications, looking at the path used in the inject requests, it is noticeable that the path of the overlays includes the country code of the target institutions», ThreatFabric noted. «This could indicate that actor(s) already have plans in expanding the target to applications from different countries and regions».
Ginp’s feature list expected to grow
When the malware is started on the device, masquerading as a legitimate app, it hides the app icon. Then it asks the user for accessibility service permission. Once granted, Ginp grants itself additional permissions, such as the dynamic permissions required to send messages and make calls without any user action. The bot is then functional and ready to receive commands and perform overlay attacks.
«Ginp has the same capabilities as most other Android banking trojans, such as the use of overlay attacks, SMS control, and contact list harvesting», ThreatFabric said. «Overall, it has a fairly common feature list, but it’s expected to expand during future updates. Since some of the code from the Anubis trojan is already reused in Ginp, it’s quite likely that new features, such as back-connect proxy, screen-streaming, and Remote Access trojan will also be added».