A new custom mobile banking malware for Android, dubbed Gnip, has emerged onto the scene, and its authors have taken an aggressive development track: Gnip appears to have been cobbled together in under five months, with four different variants already circulating — including a sample released in November that includes part of the Anubis trojan’s source code.
Though Gnip was spotted for the first time at the end of October 2019,”it dates back to June 2019 [and] is still under active development…first built from scratch but has been enriched through regular updates, the last of which did include some code copied from the infamous Anubis banking trojan,” according to research from ThreatFabric. “This [indicates] that its author is cherry-picking the most relevant functionalities for its malware.”
Among those functionalities seen in the latest version is a two-screen overlay approach to impersonate banks, the firm said. When an infected victim opens a mobile banking app, the malware dynamically brings up the overlay windows fetched from its command-and-control (C2) server, which mimic the real app. The first screen asks for login credentials, while the second steals the credit-card details.
“Although two-step overlays are not something new, their usage is generally limited to avoid raising suspicions,” researchers said, in a posting on Thursday.
Four Versions, Ongoing Development
Gnip has gone through four iterations, each adding significant advancements.
The analysis pointed out that the trojan began life as a fake “Google Play Verificator” app; if downloaded, it performed a simple SMS stealer function, intercepting texts and sending them to its C2. In August, a second version emerged – this time purporting to be Adobe Flash Player – containing additional, banking-specific features.
“The malware was able to perform overlay attacks and become the default SMS app through the abuse of the Accessibility service,” according to the posting. “The overlay consisted of a generic credit-card grabber targeting social and utility apps: Google Play, Facebook, WhatsApp, Chrome, Skype, Instagram and Twitter.”
A third version of the malware was released shortly thereafter, with enhanced payload obfuscation, ThreatFabric said. Also, “a new endpoint was added to the Trojan allowing it to handle the card-grabber overlay and specific target (banking apps) overlay separately. In addition, the credit-card grabber target list was expanded with Snapchat and Viber.”
The most recent version of Ginp was detected this month – this time enhanced with parts of the leaked source code of the infamous Anubis trojan (named after the Egyptian god of the dead). ThreatFabric has previously reported a surge in Anubis-based samples in the wild, “after the Anubis actor was allegedly arrested and the source code was leaked” earlier this year.
In Gnip’s case, the firm said that the malware incorporates Anubis’ names used for Android components, its way of handling configuration values using SharedPreferences, and some of the keys used are identical to others used by Anubis.
Current and Future Features
When the latest version of the malware is first started on the device, it hides its icon from the app drawer, making it invisible to the end user, according to ThreatFabric’s breakdown. Then, it asks for Accessibility Service privileges. If a user clicks “allow,” Ginp will go on to give itself permissions to send messages and make calls, and it is then ready to perform overlays.
This fourth version also moves away from targeting social apps and instead focuses strictly on banking applications; and it has changed its geo-targeting to focus strictly on Spanish banks. In all, ThreatFabric found that there are 24 targeted apps belong to seven different Spanish banks (Caixa Bank, Bankinter, Bankia, BBVA, EVO Banco, Kutxabank and Santander).
Going forward, ThreatFabric said that expects that some of the other code from the Anubis trojan could be added to Gnip, such as a back-connect proxy, screen-streaming capabilities and remote access trojan (RAT) capabilities – these would turn it into a full-fledged spyware. Also, the social media and other apps previously targeted in older variants could be added back into the grabber target list in the future, such as: Chrome, Facebook, Instagram, Skype, Snapchat, Twitter, Viber and WhatsApp.
“In a five-month timespan, actors managed to create a trojan from scratch, which will presumably continue evolving by offering additional features such as but not limited to keylogging, back-connect proxy or RAT capabilities,” researchers said. “Although the actual targets are Spanish banking applications, looking at the path used in the inject requests, it is noticeable that the path of the overlays includes the country code of the target institution. This could indicate that actor(s) already have plans in expanding the target to applications from different countries and regions.”
Is MFA enough to protect modern enterprises in the peak era of data breaches? How can you truly secure consumer accounts? Prevent account takeover? Find out: Catch our free, on-demand Threatpost webinar, “Trends in Fortune 1000 Breach Exposure” to hear advice from breach expert Chip Witt of SpyCloud. Click here to register.