Co-authored by Nethanella Messer.
Insights from IBM Trusteer Research
This is a customer notification that denotes increased risk due to current malware targeting of your web and/or mobile applications.
IBM Security Trusteer mobile threat researchers report new campaigns spreading the Ginp Android banking Trojan. The campaigns are focused on mobile banking users in Spain.
What’s New Here?
IBM Trusteer researchers have noted recent activity of the Ginp Android malware. Ginp is a fairly new strain of overlay mobile malware that has been active in the field from mid 2019. This malware is detected by the SDK as Android.Banker.Ginp.
So far, IBM Trusteer has observed Ginp infections in Spain, France, Poland, and the UK with more than 50% of all infections in Spain. Ginp mainly targets financial institution in Spain but its ever-growing target list also includes financial institutions in the UK and social applications.
Ginp uses fake overlay tactics to phish victim credentials and payment card data on their mobile device and can further steal and exfiltrate data from their devices, including second factor authentication (2FA) elements.
Overlay malware is commonly sold as a service in the underground; however, we believe the Ginp malware is currently privately operated. From a technical perspective, although the malware is actively maintained and constantly mutated in order to avoid detection, it is highly derivative and mostly based on older overlay malware whose code has leaked over the past few years.
The overall method that Ginp relies on to defraud mobile banking customers is a cross-channel account takeover (ATO) scheme. The overall flow of events is illustrated in the following image:
In the credential theft stage, Ginp may use more than one overlay to also request payment card details after the login credentials have been collected. Ginp’s tactics are not different from other, similar malware codes used in the mobile banking threat landscape. Trojans, such as Marcher/ExoBot (Android.Banker.Marcher) and BankBot Anubis (Android.Banker.Go_P00t) also use the same overall strategy to steal user credentials and second factor authentication codes to take over user accounts.
Ginp Malware Basics
Recent Android Ginp campaigns were spread to potential victims via SMS messages containing malicious links. The download purported to be a Flash Player update or an Android 10 update.
Upon installation, Ginp deletes its logo and hides from the user while running in the background. It launches the Accessibility Service menu and requests privileges that would allow it to monitor the apps the user opens.
Ginp may also request administrator privileges on the device under the guise of a system update if the most recent version is installed on the device. As part of its data stealing capabilities, Ginp sets itself up as the default SMS application on the infected device, to control incoming and outgoing messages. It steals the user’s contact list and sends them a message with its own installation link.
In its ongoing operations, Ginp monitors for the launch of targeted banking applications on the infected device and then dynamically fetches a matching HTML overlay from its controller’s C2 server.
The overlay screen hides the original app that the user may have opened, requesting their online banking credentials, credit card details or login combination to other targeted accounts. The malware overlay resembles the legitimate application almost completely, thus fooling users into entering their credentials into the malware overlay screen. Once entered, the malware sends the details to the attacker’s C2 server.
In cases where an additional authentication/authorization code is required, it can be stolen on contact from the receiving device. Ginp possesses data exfiltration capabilities that enable it to hijack incoming SMS messages and forward them to the attacker. It can thus compromise SMS-based two-factor authentication. In case of automated phone calls used for transaction authorization, the malware’s operator can forward calls from the infected device to a number they control and effectively complete the fraudulent transaction without the victim’s knowledge.
Ginp’s Fraud-Facilitating Features
Fake overlays fetched in real time from C2 server
Steals contact list(s)
Table 1: Ginp basic features
Overall, Ginp’s code, part of which was copied from BankBot Anubis, is not considered more sophisticated or distinct from other banking trojans that target Android users.
Moreover, unlike other overlay malware, which have been spreading through official app stores like Google Play, Ginp is currently known to be distributed via SMS campaigns. That limits the size of the campaign and also renders Ginp much more likely to be installed by users who have enabled installation from unknown sources.
Current Protection Status for this Threat
IBM® Security Trusteer® Pinpoint and Mobile SDK – Detects Ginp as Android.Banker.Ginp and protect against this attack.
Customers and applications using Trusteer Mobile SDK can detect the Ginp malware on infected devices and record its presence on compromised devices.
Customers and applications using Trusteer® Pinpont with Mobile integration are protected against the act of ATO abusing the information exfiltrated by Ginp malware.
Targeted customers are notified by our support team when applicable.
For more information, please contact our Enterprise Support team at: firstname.lastname@example.org.