Ginp

Ginp is an Android banking trojan that has been used to target Spanish banks. Some of the code was taken directly from Anubis.^[1]

ID: S0423

ⓘ

Type: MALWARE

ⓘ

Platforms: Android

Contributors: Aviran Hazum, Check Point; Sergey Persikov, Check Point

Version: 1.1

Created: 08 April 2020

Last Modified: 11 September 2020

Live Version

Techniques Used

Domain	ID		Name	Use
Mobile	T1533		Data from Local System	Ginp can download device logs.^[1]
Mobile	T1628	.001	Hide Artifacts: Suppress Application Icon	Ginp hides its icon after installation.^[1]
Mobile	T1417	.002	Input Capture: GUI Input Capture	Ginp can use a multi-step phishing overlay to capture banking credentials and then credit card numbers after login.^[1]
Mobile	T1516		Input Injection	Ginp can inject input to make itself the default SMS handler.^[1]
Mobile	T1655	.001	Masquerading: Match Legitimate Name or Location	Ginp has masqueraded as "Adobe Flash Player" and "Google Play Verificator".^[1]
Mobile	T1406		Obfuscated Files or Information	Ginp obfuscates its payload, code, and strings.^[1]
Mobile	T1636	.003	Protected User Data: Contact List	Ginp can download the device’s contact list.^[1]
		.004	Protected User Data: SMS Messages	Ginp can collect SMS messages.^[1]
Mobile	T1513		Screen Capture	Ginp can capture device screenshots and stream them back to the C2.^[1]
Mobile	T1582		SMS Control	Ginp can send SMS messages.^[1]
Mobile	T1418		Software Discovery	Ginp can obtain a list of installed applications.^[1]
Mobile	T1633	.001	Virtualization/Sandbox Evasion: System Checks	Ginp can determine if it is running in an emulator.^[1]