Recently, the security researchers from Threat Fabric found a new GiNP trojan in daily monitoring. “What makes Ginp stand out is that it was built from scratch being expanded through regular updates, the last of which including code copied from the infamous Anubis banking Trojan, indicating that its author is cherry-picking the most relevant functionality for its malware. In addition, its original target list is extremely narrow and seems to be focused on Spanish banks.”
The original version of the malware dates back to early June 2019 and it disguised as a “Google Play Verificator” application. At the time, Ginp was a simple SMS stealer whose purpose was to send a copy of the text messages received and sent by the user’s mobile phone to the C2 server.
In August 2019, a new version was released, adding features unique to banking Trojans. The malware was disguised as a fake “Adobe Flash Player” application, and the malware code enhanced anti-obfuscation capabilities. Compared with the “Flash Player” Trojan horse released in the previous two weeks, Ginp has the feature of remote control of Trojan horses to obtain user contact lists, SMS lists, and other private information. Authorize application sensitive permissions and load web pages to cover specific application pages in order to steal login credential information.