Analysis of the GINP Android banker

A new banking Trojan for Android devices has been discovered recently that is specially designed to steal banking credentials for Spanish entities. It belongs to the 'GINP' family, which was discovered in June 2019, although in its first versions it did not include any functionality for the theft of banking credentials

In its initial versions its developers were interested in stealing text messages received on the device, as well as sending SMS using infected mobile devices. This family has evolved a lot since June, from only including the theft and sending of SMS to incorporating an interesting list of functionalities, among which is the theft of banking credentials.

It has also evolved on the technical side. In its first versions only the text strings were encoded and the names of functions and classes were obfuscated to make analysis difficult. However, the latest versions reveal the use of packaging techniques, which allow the malware to include the encrypted malicious code so that it is decrypted and executed at runtime.

Particularly of note in this malware, in addition to its evolution from spyware to banking Trojan, is the fact that it only affects Spanish banking entities. But although it does specifically affect the applications of Spanish entities, it also includes a generic injection for credit card theft when the user starts Google Play.

If you are interested in continuing to read the full report:


GINP is one of the new banking trojans specifically aimed at Spanish banking.


Theft of banking credentials is based on 'overlays' that are shown to the user when he or she starts the legitimate application of the affected bank. In addition to the use of 'overlays', GINP uses the same techniques as the rest of the Android banking Trojans to detect the start of legitimate apps, implementing an accessibility service that receives the events that occur in the user interface.

It is especially curious that this malware has gone from being a spy Trojan to being a banking Trojan which, additionally, only affects Spanish banking entities. This indicates that these samples are specially designed to affect Spanish users.


Posted by David García

In his more than 9-year professional career, he has been involved in multiple projects, the most important being in the fields of managed security, anti-fraud and ethical hacking services, and malware analysis. He has contributed his know-how and security-related improvements to a wide variety of fraud and vulnerability analysis products. He currently oversees the smooth running of our different products and researches current fraud developments in order to showcase buguroo overseas as well as providing the development department with feedback on the latest malware and cybercriminal trends.



buguroo’s cloud-based fraud detection delivers a straightforward solution for detecting and stopping today’s – and tomorrow’s malware threats. Banks and their customers can be protected from one of the most malicious threats in use by cybercriminals.


Solicita una demo

Would you like to know how our solution protects your bank?

Check how our solution can help you to resolve your company's online fraud issues by requesting a free DEMO and we explain it to you in detail.

Watch video

Did you like it? Share in your social communities.