Security researchers have spotted a newcomer to mobile banking malware scene, which, considering its authors’ aggressive development approach, could evolve into fully fledged spyware in the future. The custom mobile banking malware for Android, dubbed Gnip, was initially discovered by Kaspersky’s research team in October 2019, but actually dates back to June 2019. The malware is still under active development and in the last few months its creators have released at least five versions of the trojan, with the latest variant released in November incorporating part of the Anubis trojan’s source code.
“What makes Ginp stand out is that it was built from scratch being expanded through regular updates, the last of which including code copied from the infamous Anubis banking Trojan, indicating that its author is cherry-picking the most relevant functionality for its malware,” a new report from ThreatFabric researchers said.
While the first version of Ginp was a simple SMS stealer whose purpose was only to send a copy of incoming and outgoing SMS messages to the command-and-control (C2) server, the latest variant comes with an impressive set of functions, including two-screen overlay approach to impersonate banks. When an infected victim opens a mobile banking app, the malware dynamically brings up the overlay windows fetched from its C2 server, which mimic the real app. The first screen asks for login credentials, while the second steals the credit-card details.
When launched on a victim’s device, the malware removes its icon from the app drawer, thus hiding from the end user. Then it asks the victim for the Accessibility Service privilege and, once granted, it gives itself additional permissions, such as permissions to send messages and make calls, without requiring any further action from the victim. When done, the malware is ready to perform overlays.
Overall, the most recent Ginp version has a fairly common set of capabilities often seen in other Android banking trojans, such as the use of overlay attacks, SMS control and contact list harvesting. But, as the researchers pointed out, it is expected to expand its feature list in future updates.
“Since Ginp is already using some code from the Anubis Trojan, it is quite likely that other, more advanced features from Anubis or other malware, such as a back-connect proxy, screen-streaming and RAT will also be added in the future,” the researchers said.
Also, the social media and other apps previously targeted in older variants could be added back into the grabber target list in the future, such as: Chrome, Facebook, Instagram, Skype, Snapchat, Twitter, Viber and WhatsApp.
“Ginp’s unusual target selection is not just about its focus on Spanish banks but also the wide selection of targeted apps per bank. The fact that the overlay screens are almost identical to the legitimate banking apps suggests that the actors might be very familiar with the Spanish banking applications and might even be accustomed to the language,” the researchers added.
The research team also believes that the malware’s authors might be considering plans to expand to different countries and regions.