S0423 Ginp
Ginp is an Android banking trojan that has been used to target Spanish banks. Some of the code was taken directly from Anubis.1
| Item | Value |
|---|---|
| ID | S0423 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.1 |
| Created | 08 April 2020 |
| Last Modified | 11 September 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| mobile | T1432 | Access Contact List | Ginp can download the device’s contact list.1 |
| mobile | T1413 | Access Sensitive Data in Device Logs | Ginp can download device log data.1 |
| mobile | T1418 | Application Discovery | Ginp can obtain a list of installed applications.1 |
| mobile | T1412 | Capture SMS Messages | Ginp can collect SMS messages.1 |
| mobile | T1533 | Data from Local System | Ginp can download device logs.1 |
| mobile | T1523 | Evade Analysis Environment | Ginp can determine if it is running in an emulator.1 |
| mobile | T1516 | Input Injection | Ginp can inject input to make itself the default SMS handler.1 |
| mobile | T1411 | Input Prompt | Ginp can use a multi-step phishing overlay to capture banking credentials and then credit card numbers after login.1 |
| mobile | T1444 | Masquerade as Legitimate Application | Ginp has masqueraded as “Adobe Flash Player” and “Google Play Verificator”.1 |
| mobile | T1406 | Obfuscated Files or Information | Ginp obfuscates its payload, code, and strings.1 |
| mobile | T1513 | Screen Capture | Ginp can capture device screenshots and stream them back to the C2.1 |
| mobile | T1582 | SMS Control | Ginp can send SMS messages.1 |
| mobile | T1508 | Suppress Application Icon | Ginp hides its icon after installation.1 |