Skip to content

S0423 Ginp

Ginp is an Android banking trojan that has been used to target Spanish banks. Some of the code was taken directly from Anubis.1

Item Value
ID S0423
Associated Names
Version 1.1
Created 08 April 2020
Last Modified 11 September 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
mobile T1533 Data from Local System Ginp can download device logs.1
mobile T1628 Hide Artifacts -
mobile T1628.001 Suppress Application Icon Ginp hides its icon after installation.1
mobile T1417 Input Capture -
mobile T1417.002 GUI Input Capture Ginp can use a multi-step phishing overlay to capture banking credentials and then credit card numbers after login.1
mobile T1516 Input Injection Ginp can inject input to make itself the default SMS handler.1
mobile T1406 Obfuscated Files or Information Ginp obfuscates its payload, code, and strings.1
mobile T1636 Protected User Data -
mobile T1636.003 Contact List Ginp can download the device’s contact list.1
mobile T1636.004 SMS Messages Ginp can collect SMS messages.1
mobile T1513 Screen Capture Ginp can capture device screenshots and stream them back to the C2.1
mobile T1582 SMS Control Ginp can send SMS messages.1
mobile T1418 Software Discovery Ginp can obtain a list of installed applications.1
mobile T1633 Virtualization/Sandbox Evasion -
mobile T1633.001 System Checks Ginp can determine if it is running in an emulator.1