Ginp is an Android banking trojan that has been used to target Spanish banks. Some of the code was taken directly from Anubis.[1]

ID: S0423
Platforms: Android
Contributors: Aviran Hazum, Check Point; Sergey Persikov, Check Point
Version: 1.1
Created: 08 April 2020
Last Modified: 11 September 2020

Techniques Used

Domain ID Name Use
Mobile T1533 Data from Local System

Ginp can download device logs.[1]

Mobile T1628 .001 Hide Artifacts: Suppress Application Icon

Ginp hides its icon after installation.[1]

Mobile T1417 .002 Input Capture: GUI Input Capture

Ginp can use a multi-step phishing overlay to capture banking credentials and then credit card numbers after login.[1]

Mobile T1516 Input Injection

Ginp can inject input to make itself the default SMS handler.[1]

Mobile T1406 Obfuscated Files or Information

Ginp obfuscates its payload, code, and strings.[1]

Mobile T1636 .003 Protected User Data: Contact List

Ginp can download the device’s contact list.[1]

.004 Protected User Data: SMS Messages

Ginp can collect SMS messages.[1]

Mobile T1513 Screen Capture

Ginp can capture device screenshots and stream them back to the C2.[1]

Mobile T1582 SMS Control

Ginp can send SMS messages.[1]

Mobile T1418 Software Discovery

Ginp can obtain a list of installed applications.[1]

Mobile T1633 .001 Virtualization/Sandbox Evasion: System Checks

Ginp can determine if it is running in an emulator.[1]