Skip to content

S0423 Ginp

Ginp is an Android banking trojan that has been used to target Spanish banks. Some of the code was taken directly from Anubis.1

Item Value
ID S0423
Associated Names
Version 1.1
Created 08 April 2020
Last Modified 11 September 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
mobile T1432 Access Contact List Ginp can download the device’s contact list.1
mobile T1413 Access Sensitive Data in Device Logs Ginp can download device log data.1
mobile T1418 Application Discovery Ginp can obtain a list of installed applications.1
mobile T1412 Capture SMS Messages Ginp can collect SMS messages.1
mobile T1533 Data from Local System Ginp can download device logs.1
mobile T1523 Evade Analysis Environment Ginp can determine if it is running in an emulator.1
mobile T1516 Input Injection Ginp can inject input to make itself the default SMS handler.1
mobile T1411 Input Prompt Ginp can use a multi-step phishing overlay to capture banking credentials and then credit card numbers after login.1
mobile T1444 Masquerade as Legitimate Application Ginp has masqueraded as “Adobe Flash Player” and “Google Play Verificator”.1
mobile T1406 Obfuscated Files or Information Ginp obfuscates its payload, code, and strings.1
mobile T1513 Screen Capture Ginp can capture device screenshots and stream them back to the C2.1
mobile T1582 SMS Control Ginp can send SMS messages.1
mobile T1508 Suppress Application Icon Ginp hides its icon after installation.1


Back to top