Researchers at ThreatFabric, the cybersecurity firm based in Amsterdam, have been following an “interesting new strain of banking malware” dubbed Ginp distributed as Adobe Flash Player.
Identified firstly by Kaspersky’s Android malware analyst Tatyana Shishkova in late October; Ginp is currently targeting users in the UK and Spain.
Researchers opine that the Trojan was actually launched in June 2019 and is yet under the active development phase.
According to researchers, cybercriminals have released at least five different versions of Ginp in the past five months, which reflects how eagerly cybercriminals are vying to improvise this Trojan.
ThreatFabric analysts claim that Ginp is unique because its codebase was developed from scratch and is being expanded continuously through updates.
Its target list is also considerably narrow as its main targets are the banks in Spain.
The code of Gino has been copied from the code of another infamous Trojan called Anubis.
Researchers further claim that there are striking similarities between the codes of both Trojans but it cannot be said that Ginp is the replica of Anubis rather it is inspired by Anubis.
Such as, Ginp has traces of some of the codes of Anubis and the names of components of both the Trojans are also the same.
The malware works by accessing the target device in the disguise of an authentic app. As soon as the malware gains access to the device, it hides the app icon and asks for Accessibility Service permissions.
When the user grants permission, it automatically gets dynamic permissions. Using these permissions, the malware can send messages, make calls and perform overlay attacks easily without alerting the user.
“The constantly evolving threat of mobile malware is ever-changing. Yesterday’s top malware program may get leaked and stopped but as we can see with Ginp, that same code can be reused and extended into newer and stronger threats. These newer threats add capabilities that make an even stronger case for implementing multi-factor authentication instead of SMS push for one-time passwords. Banks should always evaluate their threat index and ensure they stay ahead of the curve with a flexible platform that can swap out newer technologies as they are identified and implemented.” — Will LaSala, Director Security Solutions, Security Evangelist, OneSpan.
In June 2019, the Ginp malware appeared first on the Play Store as the Google Play Verificator app; initially, its main function was to steal SMS messages.
However, by August 2019, another version of the malware appeared posing as the Adobe Flash Player app.
Image: ThreatFabric
This time, according to ThreatFabric’s blog post, the malware could perform many other functions such as abusing Accessibility Service to become the default SMS app and performing overlay attacks.
Later, two new versions of the malware surfaced that primarily targeted social media and banking apps.
The current version is being distributed as legitimate banking apps mostly related to Spanish banks and some of the targets haven’t ever seen before in any malware campaign.
A total of 24 apps are targeted and infected with Ginp, all of which belong to 7 Spanish banks including Bankinter, Bankia, BBVA, Caixa Bank, EVO Banco, Santander, and Kutxabank.
Image: ThreatFabric
According to researchers, Ginp may receive further modifications and exhibit many new malicious features along with expanding its targets.
Ginp’s trojan functions
Upon execution in a victim device, Ginp removes its icon from the app drawer before asking the user for Accessibility Service privilege. Once it receives the said privilege, it grants itself additional permissions for sending messages and making calls.
Ginp is capable of sending or harvesting SMS messages based on received commands. It can also request admin privileges, enable overlay attacks, update the command-and-control (C&C) URL, update the target list, set itself as the default SMS app, prevent the user from disabling Accessibility Services, get installed apps or contacts, enable call forwarding, and hide itself and prevent removal, among other capabilities.
Notably, Ginp can trick the victim into giving out login credentials and credit card details by claiming that these pieces of information are a prerequisite to validate user identity.
Ginp’s five-month evolution
In its first iteration, Ginp disguised itself as a “Google Play Verificator” app, primarily stealing SMS messages. In August, it posed as fake “Adobe Flash Player” apps targeting credit card information. The next version was enhanced with payload obfuscation and started targeting Snapchat and Viber users as well as specific banking apps.
After that, the Ginp author borrowed code from the Anubis malware, whose source code was leaked earlier this year. The said version notably switched to a new overlay target list and predominantly went after banking app users. Trend Micro mobile threat analyst Tony Bao discovered a variant of Anubis (detected by Trend Micro as AndroidOS_AnubisDropper) of the same type a few months ago. The Anubis variant analyzed in Bao’s research targeted 188 banking- and finance-related apps.
In its latest form, Ginp was found with slight modifications, including a new endpoint related to downloading a module and pieces of code borrowed from Anubis. This Ginp iteration targets users of 24 apps from different Spanish banks.
Overlay attacks continue
Android malware has long used full-screen overlay attacks to phish credentials. Trojans use overlays that mimic the legitimate login screens of the targeted applications to trick users that they’ve been logged out and need to re-input their credentials or that they need to pass various verification steps, which involve providing personal and financial information.
To launch such attacks, Ginp and other malicious apps attempt to register themselves as accessibility services on devices and this step requires users’ approval. Therefore, it’s important for users to be careful about which apps they give accessibility permissions to.
The Android Accessibility Service API was designed to help users with visual, hearing and other types of disabilities.
Among other things, it allows apps with this privilege to observe user actions on the phone, such as when they’re opening other applications and to inspect the windows of those applications. From an attacker perspective, this permission is required to determine when and which overlay to inject, such as when the user opens a specific app.
Once the Accessibility privilege is acquired, Ginp abuses it to grant itself additional permissions without user interaction such as the ability to make calls and send messages.
The Trojan’s overlays occur in two steps per application. First, the victims are asked to input their credentials for the targeted apps and then a second overlay is used to ask for payment card details, allegedly for identity verification purposes.
If the user inputs the requested information, the apps are whitelisted by the Trojan and are not targeted again.
Google has been trying to crack down on overlay attacks for some time by marking injected windows more clearly and by tweaking and restricting the permissions required to make them work.
However, the company needs to maintain a balance between security and usability.
For example, one permission that’s required to draw overlays is called SYSTEM_ALERT_WINDOW and this has legitimate uses, like the chat head bubbles used by Facebook Messenger.
In Android Q (Android 10), which was released in September 2019, this permission will be active only for 30 seconds for sideloaded apps and until the system is rebooted for apps installed through Google Play.
The Android developers plan to completely deprecate this functionality in a future version of Android.
However, giving the ecosystem’s version fragmentation, a large percentage of devices will never be updated to Android Q or later versions, so overlay attacks are likely to remain a popular attack with criminals.
