Researchers are tracking an Android Trojan that’s been rapidly improving over the past several months. It uses overlay attacks to steal login credentials and payment card details from users of banking and other applications.
Dubbed Ginp, the Trojan was first spotted in October 2019, but has been in the wild since at least June, according to researchers from Dutch cybersecurity company ThreatFabric. During the past five months, the malware has received numerous improvements, including some features borrowed from an older commercial banking Trojan called Anubis.
Ginp a developing threat
Ginp started out as a new Trojan built from scratch that masqueraded as an app called Google Play Verificator. It stole incoming and outgoing SMS messages from devices. A later version, released in August added overlay attacks, which involves the display of windows on top of other applications when they’re opened.
Initially, the Trojan used a generic overlay window that asked users for payment card information when opening popular apps like Google Play, Facebook, WhatsApp, Chrome, Skype, Instagram and Twitter. Yet another iteration added payload obfuscation to make detection harder and added Snapchat and Viber to the targeted apps list, as well as dedicated overlays for specific banking apps.
The latest and current version of the Trojan, released earlier this month, brought major changes. The authors copied code from another Android Trojan called Anubis, leaked earlier this year, to enhance its overlay attacks. It now targets 24 apps from seven Spanish banks with unique overlays for each app that are dynamically loaded from a command-and-control server. The older generic overlay approach is still used, but only for Google Play. The other social and utility apps are no longer targeted.
The November 2019 version marks a change of modus operandi for the attackers, from an indiscriminate targeting of social app users to specific targeting of online banking customers. The focus is on Spanish banks for now, but this might change as attackers build overlays for other banking apps.
“Although the actual targets are Spanish banking applications, looking at the path used in the inject requests, it is noticeable that the path of the overlays includes the country code of the
target institution,” the ThreatFabric researchers said in a report published today. “This could indicate that actor(s) already have plans in expanding the target to applications from different countries and regions.”
Overlay attacks continue
Android malware has long used full-screen overlay attacks to phish credentials. Trojans use overlays that mimic the legitimate login screens of the targeted applications to trick users that they’ve been logged out and need to re-input their credentials or that they need to pass various verification steps, which involve providing personal and financial information.
To launch such attacks, Ginp and other malicious apps attempt to register themselves as accessibility services on devices and this step requires users’ approval. Therefore, it’s important for users to be careful about which apps they give accessibility permissions to.
The Android Accessibility Service API was designed to help users with visual, hearing and other types of disabilities. Among other things, it allows apps with this privilege to observe user actions on the phone, such as when they’re opening other applications and to inspect the windows of those applications. From an attacker perspective, this permission is required to determine when and which overlay to inject, such as when the user opens a specific app.
Once the Accessibility privilege is acquired, Ginp abuses it to grant itself additional permissions without user interaction such as the ability to make calls and send messages.
The Trojan’s overlays occur in two steps per application. First, the victims are asked to input their credentials for the targeted apps and then a second overlay is used to ask for payment card details, allegedly for identity verification purposes. If the user inputs the requested information, the apps are whitelisted by the Trojan and are not targeted again.
Google has been trying to crack down on overlay attacks for some time by marking injected windows more clearly and by tweaking and restricting the permissions required to make them work. However, the company needs to maintain a balance between security and usability.
For example, one permission that’s required to draw overlays is called SYSTEM_ALERT_WINDOW and this has legitimate uses, like the chat head bubbles used by Facebook Messenger. In Android Q (Android 10), which was released in September 2019, this permission will be active only for 30 seconds for sideloaded apps and until the system is rebooted for apps installed through Google Play.
The Android developers plan to completely deprecate this functionality in a future version of Android. However, giving the ecosystem’s version fragmentation, a large percentage of devices will never be updated to Android Q or later versions, so overlay attacks are likely to remain a popular attack with criminals.
Don’t sideload apps
Android users should only install applications from Google Play, if the Play store is available in their country. Many Android Trojans are distributed through spam emails and fake web-based alerts and require users to sideload them -- installing apps manually after disabling the default security setting that blocks apps for untrusted sources.
That said, Google Play is not completely free of malware either, as attackers occasionally find ways to bypass Google’s scans and validation process. That is why it’s important to also inspect app ratings, user reviews and how long they’ve been in the store before deciding to install them. The use of anti-malware products for Android is also recommended as they provide an extra layer of protection and could detect malware that Google Play misses.
“The actual version of Ginp has the same capabilities as most other Android banking Trojans, such as the use of overlay attacks, SMS control and contact list harvesting,” the ThreatFabric researchers said. “Overall, it has a fairly common feature list, but it’s expected to expand during future updates. Since some of the code from the Anubis Trojan was already reused in Ginp, it's quite likely that new features, such as back-connect proxy, screen-streaming and Remote Access Trojan will also be added.”