Analysis of the GINP Android banker


A new banking Trojan for Android devices has been discovered recently that is specially designed to steal banking credentials for Spanish entities. It belongs to the 'GINP' family, which was discovered in June 2019, although in its first versions it did not include any functionality for the theft of banking credentials.

In its initial versions its developers were interested in stealing text messages received on the device, as well as sending SMS using infected mobile devices. This family has evolved a lot since June, from only including the theft and sending of SMS to incorporating an interesting list of functionalities, among which is the theft of banking credentials.

It has also evolved on the technical side. In its first versions only the text strings were encoded and the names of functions and classes were obfuscated to make analysis difficult. However, the latest versions reveal the use of packaging techniques, which allow the malware to include the encrypted malicious code so that it is decrypted and executed at runtime.

Particularly of note in this malware, in addition to its evolution from spyware to banking Trojan, is the fact that it only affects Spanish banking entities. But although it does specifically affect the applications of Spanish entities, it also includes a generic injection for credit card theft when the user starts Google Play.

If you are interested in continuing to read the full report, subscribe to Labs:

ginp-cover

GINP is one of the new banking trojans specifically aimed at Spanish banking.

 

Theft of banking credentials is based on 'overlays' that are shown to the user when he or she starts the legitimate application of the affected bank. In addition to the use of 'overlays', GINP uses the same techniques as the rest of the Android banking Trojans to detect the start of legitimate apps, implementing an accessibility service that receives the events that occur in the user interface.

It is especially curious that this malware has gone from being a spy Trojan to being a banking Trojan which, additionally, only affects Spanish banking entities. This indicates that these samples are specially designed to affect Spanish users.

 

Did you like it? Share in your social communities.

 
We recommend you to read...

What did you think about this topic?

Leave your comments

 

Need to reduce fraud in your online banking?

Discover our holistic vision applied to online detection

Request demo