Recently found by Kaspersky in October 2019, Ginp is a new and under development android SMS stealer that as of recently borrows code from the Anubis malware codebase. Among other features like SMS stealing, the malware can also perform overlay attacks to grab credentials from browser login fields and steal credit card information from Google Play. As it has already borrowed code from Anubis, we may see more advanced features like screen-streaming in the near future. With its overlay attacks, which greatly resemble TrickBot’s browser code injection, the malware can obtain dynamic overlay configurations from its C2 which it can then use to inject into important websites, such as banks.
Analyst Notes
Ginp’s credit card stealing features are primarily targeting Spanish banks. However, all users should be wary of any apps that they download from the Play Store. Initially, Ginp posed as a Google Play Verification tool before pivoting to masquerading as fake Adobe Flash Player apps. With this in mind, make sure that all apps downloaded are legitimate, based on information such as the publisher or reviews. Do not download apps that cannot be verified.
Source: https://www.threatfabric.com/blogs/ginp_a_malware_patchwork_borrowing_from_anubis.html
