{"id":15402,"date":"2020-02-14T11:05:52","date_gmt":"2020-02-14T16:05:52","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/ginp-mobile-banking-trojan\/15402\/"},"modified":"2021-10-04T20:36:22","modified_gmt":"2021-10-04T16:36:22","slug":"ginp-mobile-banking-trojan","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/ginp-mobile-banking-trojan\/15402\/","title":{"rendered":"Ginp mobile Trojan fakes incoming SMS messages"},"content":{"rendered":"

Having infiltrated a phone, most mobile banking Trojans try to gain access to SMS messages. They do so to intercept one-time confirmation codes from banks. Armed with such a code, the malware owners can make a payment or siphon off funds without the victim noticing. At the same time, many mobile Trojans use text messages to infect more devices by sending the victim\u2019s contacts a bad download link.<\/p>\n

Some malicious apps are more creative, using SMS access to distribute other things in your name, such as offensive text messages<\/a>. The Ginp malware, which we first detected last fall<\/a>, can even create incoming texts on the victim\u2019s phone that no one actually sent \u2014 and not only texts. But let\u2019s start from the beginning.<\/p>\n

What Ginp mobile Trojan is capable of?<\/h2>\n

At first, Ginp had a fairly standard skill set for a banking Trojan. It sent all the victim\u2019s contacts to its creators, intercepted text messages, stole bank card data, and overlaid banking apps with phishing windows.<\/p>\n

For the latter, the malware exploited Accessibility<\/a>, a set of Android features for users with visual impairments. That is not uncommon; banking Trojans and many other types of malware use these features because through them they get visual access to everything on the screen and can even \u201ctap\u201d buttons or links \u2014 in effect, they can take charge of your phone completely.<\/p>\n\n

But Ginp\u2019s authors did not stop there, repeatedly replenishing its arsenal with more inventive capabilities. For instance, the malware started using push notifications and pop-up messages to get the victim to open certain apps \u2014 those that it can overlay with phishing windows. The notifications are cleverly worded to lull the user into expecting to see a form for entering bank card data. Below is an example (in Spanish):<\/p>\n

Google Pay: Nos faltan los detalles de su tarjeta de cr\u00e9dito o d\u00e9bito. Utilice Play Store para agregarlos de manera segura.
\n(\u201cGoogle Pay: We are missing your credit or debit card details. Please use the Play Store app to add them securely.\u201d)<\/p><\/blockquote>\n

In the Play Store app, users see a form for entering card data as expected. However, it\u2019s the Trojan displaying the form, not Google Play \u2014 and the input data goes straight to the cybercriminals.<\/p>\n

\"A<\/a>

A fake \u2014 and unfortunately very convincing \u2014 window for entering bank card data, displayed in what appears to be the Play Store app<\/p><\/div>\n

Ginp goes beyond the Play Store, also showing what appear to be notifications from banking apps:<\/p>\n

B**A: Actividad sospechosa en su cuenta de B**A. Por favor, revise las ultimas transacciones y llame al 91 *** ** 26.
\n(\u201cB**A: Suspicious activity detected on your B**A account. Please check recent transactions and call 91 *** ** 26\u201d)<\/p><\/blockquote>\n

Curiously, the fake notifications provide a real phone number for the bank, so if you call, the voice at the end of the line is likely to report that your account is fine. But if you look into the \u201csuspicious transactions\u201d before calling the bank, the malware overlays the banking app with a fake window and asks for your card details.<\/p>\n

Very convincing fake SMS messages<\/h2>\n

In early February, our Botnet Attack Tracking system detected another new feature in Ginp: the ability to create fake incoming texts. The purpose is the same as before \u2014 to get the user to open an app \u2014 but now, the Trojan can generate SMS messages with any text and seemingly from any sender. There is nothing to prevent the attackers from faking messages from banks or Google.<\/p>\n

\"A<\/a>

A message, supposedly from a bank asking the user to confirm a payment in the mobile app<\/p><\/div>\n

Whereas users often push notifications aside without a glance, they tend to read their incoming SMS messages sooner or later. That means there\u2019s a good chance any given user will open the app to check what is happening with their account. And that\u2019s when the Trojan slips in a fake form for entering card details.<\/p>\n

How to guard against Ginp<\/h2>\n

At present, Ginp is mainly targeting users in Spain, but its tactics have already changed once; it used to target Poland and the UK as well. So even if you live elsewhere, always remember the basic rules of cybersecurity. To avoid falling victim to banking Trojans:<\/p>\n