Ginp is an Android banking trojan that has been used to target Spanish banks. Some of the code was taken directly from Anubis.[1]

ID: S0423
Platforms: Android
Contributors: Aviran Hazum, Check Point; Sergey Persikov, Check Point
Version: 1.1
Created: 08 April 2020
Last Modified: 11 September 2020

Techniques Used

Domain ID Name Use
Mobile T1432 Access Contact List

Ginp can download the device’s contact list.[1]

Mobile T1413 Access Sensitive Data in Device Logs

Ginp can download device log data.[1]

Mobile T1418 Application Discovery

Ginp can obtain a list of installed applications.[1]

Mobile T1412 Capture SMS Messages

Ginp can collect SMS messages.[1]

Mobile T1533 Data from Local System

Ginp can download device logs.[1]

Mobile T1523 Evade Analysis Environment

Ginp can determine if it is running in an emulator.[1]

Mobile T1516 Input Injection

Ginp can inject input to make itself the default SMS handler.[1]

Mobile T1411 Input Prompt

Ginp can use a multi-step phishing overlay to capture banking credentials and then credit card numbers after login.[1]

Mobile T1444 Masquerade as Legitimate Application

Ginp has masqueraded as "Adobe Flash Player" and "Google Play Verificator".[1]

Mobile T1406 Obfuscated Files or Information

Ginp obfuscates its payload, code, and strings.[1]

Mobile T1513 Screen Capture

Ginp can capture device screenshots and stream them back to the C2.[1]

Mobile T1582 SMS Control

Ginp can send SMS messages.[1]

Mobile T1508 Suppress Application Icon

Ginp hides its icon after installation.[1]