Malware researchers have uncovered a brand-new Android banking Trojan dubbed Ginp. This threat was built for devices that run the Android OS specifically. It would appear that the Ginp Trojan has been active for a few months, but it has caught the attention of cybersecurity experts only recently, as the reports of infected devices have increased drastically. The Ginp banking Trojan is going after users in Spain mainly. However, the operators of the Ginp malware have made sure that this threat is capable of infecting users located elsewhere too. The attackers may be locals to Spain, as they seem to have in-depth knowledge of how Spanish banking portals work.
After dissecting the threat, malware researchers uncovered that the Ginp Trojan is built from the ground up mostly, and not much of its code has been borrowed from other projects. However, the creators of the Ginp banking Trojan have taken and repurposed some of the code from the infamous Anubis banking Trojan. The features that the Ginp Trojan spot are not something that has never seen. However, they are enough to cause some serious damage to their targets:
- Forwarding calls.
- Collecting text messages.
- Sending text messages.
- Swapping between C&C (Command & Control) servers in case the main one goes offline.
- Listing all software installed on the compromised device.
- Presenting the victim with fake banking platform overlays.
The Ginp Trojan’s capability to overlay a fake page on top of legitimate banking applications and portals is rather impressive due to the high-quality images and trickery the attackers are using. The goal of the bogus overlay is to trick the users into filling in their login credentials in the fraudulent fields, which will allow the operators of the Trojans to data.
Uses Tricks to Remain Stealthy
To remain undetected by the user, the Ginp Trojan implements an empty icon/name in the settings of the Android device. Furthermore, the Ginp banking Trojan makes sure to conceal its icon, making it impossible for the victim to see it in any of the menus. It is not known with full certainty what propagation methods have been utilized in the spreading of the Ginp Trojan, but experts speculate that the authors of this threat may have used third-party, unauthorized application stores to promote it via fake software.
We advise you strongly to avoid third-party application stores because the applications they offer may be of low-quality, misleading, and sometimes downright threatening like the Ginp banking Trojan. Make sure to run a legitimate Android anti-malware application that will keep your device secure.