fbpx
perm_phone_msgConsider your business risks? Chat With US

Ginp – A malware patchwork borrowing from Anubis | Blogs | ThreatFabric

Ransomware BCyber todayOctober 2, 2020 45

Background
share close

ThreatFabric analysts have recently investigated an interesting new strain of banking malware.
The malware was first spotted by
Tatyana Shishkova from
Kaspersky by end October 2019, but actually dates back to June 2019. It is still under active
development, with at least 5 different versions of the Trojan released within the last 5
months (June – November 2019).

What makes Ginp stand out is that it was built from scratch being expanded through regular
updates, the last of which including code copied from the infamous Anubis banking Trojan,
indicating that its author is cherry-picking the most relevant functionality for its malware.
In addition, its original target list is extremely narrow and seems to be focused on Spanish
banks. Last but not least, all the overlay screens (injects) for the banks include two steps;
first stealing the victim’s login credentials, then their credit card details. Although
multi-step overlays are not something new, their usage is generally limited to avoid raising
suspicion.

Evolution

The initial version of the malware dates back to early June 2019, masquerading as a “Google
Play Verificator” app. At that time, Ginp was a simple SMS stealer whose purpose was only to
send a copy of incoming and outgoing SMS messages to the C2 server.

A couple of months later, in August 2019, a new version was released with additional
banking-specific features. This and following versions were masquerading as fake “Adobe
Flash Player” apps. The malware was able to perform overlay attacks and become the default
SMS app through the abuse of the Accessibility Service. The overlay consisted of a generic
credit card grabber targeting social and utility apps, such as Google Play, Facebook,
WhatsApp, Chrome, Skype, Instagram and Twitter.

Although early versions had some basic code and string obfuscation, protection of the third
version of the malware was enhanced with the use of payload obfuscation. The capabilities
remained unchanged, but a new endpoint was added to the Trojan C2 allowing it to handle the
generic card grabber overlay and specific target overlays (banking apps) separately. In
addition, the credit card grabber target list was expanded with Snapchat and Viber.

In the third version spotted in the wild, the author introduced parts of the source code of
the infamous Anubis Trojan (which was leaked earlier in 2019). This change came hand in hand
with a new overlay target list, no longer targeting social apps, but focusing on banking
instead. A remarkable fact is that all the targeted apps relate to Spanish banks, including
targets never seen before in any other Android banking Trojan. The 24 target apps belong to
7 different Spanish banks: Caixa bank, Bankinter, Bankia, BBVA, EVO Banco, Kutxabank and
Santander. The specific apps can be found in the target list in the appendix.

The most recent version of Ginp (at the time of writing) was detected at the end of November
2019. This version has some small modifications which seems to be unused, as the malware
behaviour is the same as the previous version. The author has introduced the capability to
grant the app the device admin permission. Additionally new endpoint was added that seems
related to downloading a module for the malware, probably with new features or configuration.

How it works

When the malware is first started on the device it will begin by removing its icon from the app
drawer, hiding from the end user. In the second step it asks the victim for the Accessibility
Service privilege as visible in following screenshot:

Once the user grants the requested Accessibility Service privilege, Ginp starts by granting
itself additional permissions, such as (dynamic) permissions required in order to be able to
send messages and make calls, without requiring any further action from the victim. When done,
the bot is functional and ready to receive commands and perform overlay attacks.

The commands supported by the most recent version of the bot are listed below. As can be
observed, the possibilities offered by the bot are pretty common.

Command Description
SEND_SMS Send an SMS from the bot to a specific number
NEW_URL Update the C2 URL
KILL Disable the bot
PING_DELAY Update interval between each ping request
CLEAN_IGNORE_PKG Empty list of overlayed apps
WRITE_INJECTS Update target list
READ_INJECTS Get current target list
START_ADMIN Request Device Admin privileges
ALL_SMS Get all SMS messages
DISABLE_ACCESSIBILITY Stop preventing user from disabling the accessibility service
ENABLE_ACCESSIBILITY Prevent user from disabling the accessibility service
ENABLE_HIDDEN_SMS Set malware as default SMS app
DISABLE_HIDDEN_SMS Remove malware as default SMS app
ENABLE_EXTENDED_INJECT Enable overlay attacks
DISABLE_EXTENDED_INJECT Disable overlay attacks
ENABLE_CC_GRABBER Enable the Google Play overlay
DISABLE_CC_GRABBER Disable the Google Play overlay
START_DEBUG Enable debugging
GET_LOGCAT Get logs from the device
STOP_DEBUG Disable debugging
GET_APPS Get installed applications
GET_CONTACTS Get contacts
SEND_BULK_SMS Send SMS to multiple numbers
UPDATE_APK Not implemented
INJECT_PACKAGE Add new overlay target
CALL_FORWARD Enable/disable call forwarding
START_PERMISSIONS Starts request for additional permissions(Accessibility privileges, battery optimizations bypass, dynamic permissions)

Features

The most recent version of Ginp has the same capabilities as most other Android banking Trojans,
such as the use of overlay attacks, SMS control and contact list harvesting. Overall, it has a
fairly common feature list, but it is expected to expand in future updates. Since Ginp is
already using some code from the Anubis Trojan, it is quite likely that other, more advanced
features from Anubis or other malware, such as a back-connect proxy, screen-streaming and
RAT will also be added in the future.

Ginp embeds the following set of features, allowing it to remain under the radar and
successfully perform attacks:

Update 10/03/2020

At the end of February the actors behind Ginp added screen capture capabilities to their Trojan. Like previously added functionality, the code is borrowed from the leaked
Anubis Trojan source code. It enables the bot to stream screenshots and send them to the C2 so that actors can see what is happening on the screen of the infected device.

Overlay attack

Ginp uses the Accessibility Service to check which application runs is the foreground. If the
package name of the foreground app is included in the target list, an overlay is shown. The
WebView-based overlay is loading an HTML page provided by the C2 in response to the package
name provided by the bot.

The following code snippet shows how the WebView is created.

Something that makes Ginp special is that all of its overlay screens for banking apps are
consist of multiple steps, first stealing the victim’s login credentials, then stealing
the credit card details (to “validate” the user identity), as shown in the screenshots
hereafter:

The following code snippet shows that after the second overlay is filled-in and validated,
it disappears and the targeted application is added to the list of packages names to be
ignored for future overlays attacks.

The initial version of Ginp had a generic credit card grabber overlay screen used for all
targeted applications. Still included in the last versions, this screen is only used to
overlay the official Google Play Store app. More apps could be added to the grabber target
list in the future, such as the ones that were targeted in older versions:

The following screenshot shows the generic card grabber overlay screen:

The current active target list is available in the appendix, containing a total of 24 unique
targets. The following screenshots show what type of information is collected in both steps
of the overlay attack:

Based on Anubis

Once the Anubis bot code got leaked, it was just a matter of time before new banking Trojans
based on Anubis would surface. When analyzing the Ginp’s recent samples, ThreatFabric
analysts found some similarities with the famous Android banking Trojan. Based on the
evolution of Ginp it is clear that it isn’t based on Anubis, but rather reuses some of its
code. Below are some of the elements showing the relation.

The names used for Android components are similar:

When analyzing these components, similarities were found in the code of both malware families:

Another major change that indicated that the actor copied code from the Anubis Trojan is the
way of handling configuration values. Previous versions were storing config values within the
variables of a class, while the latest version is using SharedPreferences with some of the
keys being identical to those used by Anubis:

Conclusion

Ginp is a simple but rather efficient banking Trojan providing the basic functionality to be
able to trick victims into delivering personal information. In a 5-month timespan, actor
managed to create a Trojan from scratch which will presumably continue evolving offering new
features such as keylogging, back-connect proxy or RAT capabilities.

Ginp’s unusual target selection is not just about its focus on Spanish banks but also the wide
selection of targeted apps per bank. The fact that the overlay screens are almost identical
to the legitimate banking apps suggests that the actors might be very familiar with the
Spanish banking applications and might even be accustomed to the language.

Although the current target list is limited to Spanish apps, it seems that the actor is taking
into account that the bot should also be able to target other countries, seeing that the path
used in the inject requests contains the country code of the targeted institution. This could
indicate that actor already has plans in expanding the targets to applications from different
countries and regions.

Mobile Threat Intelligence

Our Mobile Threat Intelligence (MTI) solution provides a strategic and contextual overview of
the threat-landscape, as well as in-depth tactical information to make the intelligence
actionable.

MTI prevents financially motivated threat actors from being successful.

Client Side Detection

Our Client Side Detection (CSD) solution provides a real-time risk overview of the Web and
Mobile channels, by detecting known and unknown threats.

By doing so, CSD enables immediate, automated and scalable online fraud prevention and risk
remediation.

Some of the latest Ginp samples found in the wild:

App name Package name SHA-256 hash
Google Play Verificator sing.guide.false 0ee075219a2dfde018f17561467272633821d19420c08cba14322cc3b93bb5d5
Google Play Verificator park.rather.dance 087a3beea46f3d45649b7506073ef51c784036629ca78601a4593759b253d1b7
Adobe Flash Player ethics.unknown.during 5ac6901b232c629bc246227b783867a0122f62f9e087ceb86d83d991e92dba2f
Adobe Flash Player solution.rail.forward 7eb239cc86e80e6e1866e2b3a132b5af94a13d0d24f92068a6d2e66cfe5c2cea
Adobe Flash Player com.pubhny.hekzhgjty 14a1b1dce69b742f7e258805594f07e0c5148b6963c12a8429d6e15ace3a503c
Adobe Flash Player sentence.fancy.humble 78557094dbabecdc17fb0edb4e3a94bae184e97b1b92801e4f8eb0f0626d6212

Target list

The current list of apps observed to be targeted by Ginp contains a total of 24
unique applications as seen below. This list is expected to grow in the future.

Package name Application name
com.android.vending Play Store
es.lacaixa.hceicon2 CaixaBank Pay: Mobile Payments 
es.lacaixa.mobile.android.newwapicon CaixaBank
es.caixabank.caixabanksign CaixaBank Sign – Digital Coordinate Card
es.caixabank.mobile.android.tablet CaixaBank Tablet
com.imaginbank.app imaginBank – Your mobile bank
es.lacaixa.app.multiestrella Family
com.bankinter.launcher Bankinter Móvil
com.bankinter.bkwallet Bankinter Wallet
com.bankinter.coincwallet COINC Wallet
com.bankinter.bankintercard bankintercard
es.cm.android Bankia
com.bankia.wallet Bankia Wallet
es.cm.android.tablet Bankia Tablet
com.bbva.bbvacontigo BBVA Spain
com.bbva.netcash BBVA Net Cash | ES & PT
es.evobanco.bancamovil EVO Banco móvil
com.redsys.bizum EVO Bizum
com.kutxabank.android Kutxabank
es.redsys.walletmb.app.kutxa.pro KutxabankPay
es.bancosantander.apps Santander
es.banconsantander.app.tablet Santander Tablet
es.bancosantander.android.confirming Confirming Santander
com.tm.sanstp Santander Cash Nexus

This content was originally published here.

Written by: BCyber

Rate it
Previous post

Similar posts

Ransomware BCyber / October 19, 2020

Ad-light, Malware-heavy # Chris Dzombak

Ad-light, Malware-heavy Since December 17, Forbes has been running an experiment wherein some fraction of visitors who are running ad blockers are blocked from accessing Forbes articles until they disable their ad blocker. In exchange, Forbes promises an “ad-light experience”: A Forbes article published yesterday claims that this interstitial resulted in 42.4% of visitors turning ...

Read more trending_flat