Labs - Malware Analysis

Analysis of the GINP Android banker

Written by buguroo | Dec 13, 2019 2:20:24 PM

A new banking Trojan for Android devices has been discovered recently that is specially designed to steal banking credentials for Spanish entities. It belongs to the 'GINP' family, which was discovered in June 2019, although in its first versions it did not include any functionality for the theft of banking credentials.

In its initial versions its developers were interested in stealing text messages received on the device, as well as sending SMS using infected mobile devices. This family has evolved a lot since June, from only including the theft and sending of SMS to incorporating an interesting list of functionalities, among which is the theft of banking credentials.

It has also evolved on the technical side. In its first versions only the text strings were encoded and the names of functions and classes were obfuscated to make analysis difficult. However, the latest versions reveal the use of packaging techniques, which allow the malware to include the encrypted malicious code so that it is decrypted and executed at runtime.

Particularly of note in this malware, in addition to its evolution from spyware to banking Trojan, is the fact that it only affects Spanish banking entities. But although it does specifically affect the applications of Spanish entities, it also includes a generic injection for credit card theft when the user starts Google Play.

If you are interested in continuing to read the full report, subscribe to Labs: