Ginp mobile Trojan fakes incoming SMS

Having got inside a phone, most mobile banking Trojans try to gain access to SMS. They do so in order to intercept one-time confirmation codes from banks. Armed with such a code, the malware owners can make a payment or syphon off funds without the victim noticing. At the same time, many mobile Trojans use SMS to infect more devices by sending the victim’s contacts a download link at the end of which they themselves are waiting.

Some malicious apps are more creative, and use SMS access to distribute other things in your name, such as offensive text messages. The Ginp malware which we first detected last fall can even create incoming SMS on the victim’s phone that no one actually sent — and not only SMS. But let’s start from the beginning.

What Ginp mobile Trojan is capable of?

At first, Ginp had a fairly standard skillset for a banking Trojan: it sent all the victim’s contacts to its creators, intercepted SMS, stole bank card data, and overlaid banking apps with phishing windows.

For the latter the malware exploited Accessibility, a set of Android features for visually impaired users. This too is not uncommon: banking Trojans and many other types of malware love these features because through them they can watch everything on the screen and tap any buttons or links — that is, take complete charge of your phone.

But Ginp’s authors did not stop there, repeatedly replenishing its arsenal with more inventive capabilities. For instance, the malware started using push notifications and pop-up messages to get the victim to open certain apps — those that it can overlay with phishing windows. The notifications are cleverly worded to lull the user into expecting to see a form for entering bank card data. Below is an example (in Spanish):

Google Pay: Nos faltan los detalles de su tarjeta de crédito o débito. Utilice Play Store para agregarlos de manera segura.
(“Google Pay: we are missing your credit or debit card details. Please use the Play Store app to add them securely.”)

If the user trusts the message and opens the Play Store app, they see a form for entering card data as expected. However, the form is not displayed by Google Play, but the Trojan — and the input data goes straight to the cybercriminals.

A fake — and unfortunately very convincing — window for entering bank card data supposedly displayed in the Play Store app

A fake — and unfortunately very convincing — window for entering bank card data supposedly displayed in the Play Store app

Ginp does not limit itself to the Play Store; it also shows fake notifications from banking apps:

B**A: Actividad sospechosa en su cuenta de B**A. Por favor, revise las ultimas transacciones y llame al 91 *** ** 26.
(“B**A: suspicious activity detected on your B**A account. Please check recent transactions and call 91 *** ** 26”)

Curiously, the real bank phone number is given, so the voice at the end of the line is likely to report that everything is in order with your account. But if you decide to check the “suspicious transactions” in the app before calling the bank (a perfectly logical thing to do in the situation), the malware overlays it with a fake window and asks for your card details.

Very convincing fake SMS

In early February, our Botnet Attack Tracking system detected another new feature in Ginp: the ability to create fake incoming SMS. The purpose is the same as before — to lull the user into opening an app. What’s new, the Trojan now can generate SMS with any text and seemingly from any sender. There is nothing to prevent the attackers from faking messages from banks or Google.

A message supposedly from a bank asking the user to confirm a payment in the mobile app

A message supposedly from a bank asking the user to confirm a payment in the mobile app

Whereas push notifications often get swept aside without a glance, incoming SMS sooner or later nearly always get read. So there is a high probability that the user will open the app to check what is happening on their account. And that’s when the Trojan slips in a fake form for entering card details.

How to guard against Ginp

At present, Ginp is mainly targeting users in Spain, but its tastes have already changed once: at the beginning it was targeting Poland and the UK as well. So even if you live elsewhere, always remember the basic rules of cybersecurity. To avoid falling victim to banking Trojans:

  • Download apps only from Google Play.
  • Block the installation of programs from unknown sources in the Android settings. This will minimize the chances of getting some nasty app.
  • Do not follow links in SMS, especially if the message seems suspicious. If, say, a friend unexpectedly texts you a link to some photo instead of sending the image in a messaging or social media app like people normally do, that should raise a red flag.
  • Do not give Accessibility permissions to any app that requests them — very few programs genuinely need this dangerous permission.
  • Also be wary of apps that want access to SMS.Install a reliable security solution on your phone. For example, Kaspersky Internet Security for Android readily detects Ginp and many other threats besides.