S0423 Ginp
Ginp is an Android banking trojan that has been used to target Spanish banks. Some of the code was taken directly from Anubis.1
| Item | Value |
|---|---|
| ID | S0423 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.1 |
| Created | 08 April 2020 |
| Last Modified | 11 September 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| mobile | T1533 | Data from Local System | Ginp can download device logs.1 |
| mobile | T1628 | Hide Artifacts | - |
| mobile | T1628.001 | Suppress Application Icon | Ginp hides its icon after installation.1 |
| mobile | T1417 | Input Capture | - |
| mobile | T1417.002 | GUI Input Capture | Ginp can use a multi-step phishing overlay to capture banking credentials and then credit card numbers after login.1 |
| mobile | T1516 | Input Injection | Ginp can inject input to make itself the default SMS handler.1 |
| mobile | T1406 | Obfuscated Files or Information | Ginp obfuscates its payload, code, and strings.1 |
| mobile | T1636 | Protected User Data | - |
| mobile | T1636.003 | Contact List | Ginp can download the device’s contact list.1 |
| mobile | T1636.004 | SMS Messages | Ginp can collect SMS messages.1 |
| mobile | T1513 | Screen Capture | Ginp can capture device screenshots and stream them back to the C2.1 |
| mobile | T1582 | SMS Control | Ginp can send SMS messages.1 |
| mobile | T1418 | Software Discovery | Ginp can obtain a list of installed applications.1 |
| mobile | T1633 | Virtualization/Sandbox Evasion | - |
| mobile | T1633.001 | System Checks | Ginp can determine if it is running in an emulator.1 |