{
	"id": "a8257225-b570-43b3-beae-5c6aec204fcd",
	"created_at": "2026-04-06T00:08:35.262932Z",
	"updated_at": "2026-04-10T13:11:58.271476Z",
	"deleted_at": null,
	"sha1_hash": "d5acfc4dea73523c35e20e5acc7d293b58b54f1d",
	"title": "Ginp - A malware patchwork borrowing from Anubis",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 34765,
	"plain_text": "Ginp - A malware patchwork borrowing from Anubis\r\nPublished: 2024-10-01 · Archived: 2026-04-05 17:57:01 UTC\r\nIntro\r\nThreatFabric analysts have recently investigated an interesting new strain of banking malware. The malware was\r\nfirst spotted by Tatyana Shishkova from Kaspersky by end October 2019, but actually dates back to June 2019. It\r\nis still under active development, with at least 5 different versions of the Trojan released within the last 5 months\r\n(June - November 2019).\r\nWhat makes Ginp stand out is that it was built from scratch being expanded through regular updates, the last of\r\nwhich including code copied from the infamous Anubis banking Trojan, indicating that its author is cherry-picking\r\nthe most relevant functionality for its malware. In addition, its original target list is extremely narrow and seems to\r\nbe focused on Spanish banks. Last but not least, all the overlay screens (injects) for the banks include two steps;\r\nfirst stealing the victim’s login credentials, then their credit card details. Although multi-step overlays are not\r\nsomething new, their usage is generally limited to avoid raising suspicion.\r\nEvolution\r\nThe initial version of the malware dates back to early June 2019, masquerading as a “Google Play Verificator”\r\napp. At that time, Ginp was a simple SMS stealer whose purpose was only to send a copy of incoming and\r\noutgoing SMS messages to the C2 server.\r\nA couple of months later, in August 2019, a new version was released with additional banking-specific features.\r\nThis and following versions were masquerading as fake “Adobe Flash Player” apps. The malware was able to\r\nperform overlay attacks and become the default SMS app through the abuse of the Accessibility Service. The\r\noverlay consisted of a generic credit card grabber targeting social and utility apps, such as Google Play, Facebook,\r\nWhatsApp, Chrome, Skype, Instagram and Twitter.\r\nAlthough early versions had some basic code and string obfuscation, protection of the third version of the\r\nmalware was enhanced with the use of payload obfuscation. The capabilities remained unchanged, but a new\r\nendpoint was added to the Trojan C2 allowing it to handle the generic card grabber overlay and specific target\r\noverlays (banking apps) separately. In addition, the credit card grabber target list was expanded with Snapchat and\r\nViber.\r\nIn the third version spotted in the wild, the author introduced parts of the source code of the infamous Anubis\r\nTrojan (which was leaked earlier in 2019). This change came hand in hand with a new overlay target list, no\r\nlonger targeting social apps, but focusing on banking instead. A remarkable fact is that all the targeted apps relate\r\nto Spanish banks, including targets never seen before in any other Android banking Trojan. The 24 target apps\r\nbelong to 7 different Spanish banks: Caixa bank, Bankinter, Bankia, BBVA, EVO Banco, Kutxabank and\r\nSantander. The specific apps can be found in the target list in the appendix.\r\nhttps://www.threatfabric.com/blogs/ginp_a_malware_patchwork_borrowing_from_anubis.html\r\nPage 1 of 2\n\nThe most recent version of Ginp (at the time of writing) was detected at the end of November 2019. This version\r\nhas some small modifications which seems to be unused, as the malware behaviour is the same as the previous\r\nversion. The author has introduced the capability to grant the app the device admin permission. Additionally new\r\nendpoint was added that seems related to downloading a module for the malware, probably with new features or\r\nconfiguration.\r\nHow it works\r\nWhen the malware is first started on the device it will begin by removing its icon from the app drawer, hiding\r\nfrom the end user. In the second step it asks the victim for the Accessibility Service privilege as visible in\r\nfollowing screenshot:\r\nSource: https://www.threatfabric.com/blogs/ginp_a_malware_patchwork_borrowing_from_anubis.html\r\nhttps://www.threatfabric.com/blogs/ginp_a_malware_patchwork_borrowing_from_anubis.html\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.threatfabric.com/blogs/ginp_a_malware_patchwork_borrowing_from_anubis.html"
	],
	"report_names": [
		"ginp_a_malware_patchwork_borrowing_from_anubis.html"
	],
	"threat_actors": [
		{
			"id": "bbf66d2d-3d20-4026-a2b5-56b31eb65de4",
			"created_at": "2025-08-07T02:03:25.123407Z",
			"updated_at": "2026-04-10T02:00:03.668131Z",
			"deleted_at": null,
			"main_name": "ZINC EMERSON",
			"aliases": [
				"Confucius ",
				"Dropping Elephant ",
				"EHDevel ",
				"Manul ",
				"Monsoon ",
				"Operation Hangover ",
				"Patchwork ",
				"TG-4410 ",
				"Viceroy Tiger "
			],
			"source_name": "Secureworks:ZINC EMERSON",
			"tools": [
				"Enlighten Infostealer",
				"Hanove",
				"Mac OS X KitM Spyware",
				"Proyecto2",
				"YTY Backdoor"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "7ea1e0de-53b9-4059-802f-485884180701",
			"created_at": "2022-10-25T16:07:24.04846Z",
			"updated_at": "2026-04-10T02:00:04.84985Z",
			"deleted_at": null,
			"main_name": "Patchwork",
			"aliases": [
				"APT-C-09",
				"ATK 11",
				"Capricorn Organisation",
				"Chinastrats",
				"Dropping Elephant",
				"G0040",
				"Maha Grass",
				"Quilted Tiger",
				"TG-4410",
				"Thirsty Gemini",
				"Zinc Emerson"
			],
			"source_name": "ETDA:Patchwork",
			"tools": [
				"AndroRAT",
				"Artra Downloader",
				"ArtraDownloader",
				"AutoIt backdoor",
				"BADNEWS",
				"BIRDDOG",
				"Bahamut",
				"Bozok",
				"Bozok RAT",
				"Brute Ratel",
				"Brute Ratel C4",
				"CinaRAT",
				"Crypta",
				"ForeIT",
				"JakyllHyde",
				"Loki",
				"Loki.Rat",
				"LokiBot",
				"LokiPWS",
				"NDiskMonitor",
				"Nadrac",
				"PGoShell",
				"PowerSploit",
				"PubFantacy",
				"Quasar RAT",
				"QuasarRAT",
				"Ragnatela",
				"Ragnatela RAT",
				"SocksBot",
				"TINYTYPHON",
				"Unknown Logger",
				"WSCSPL",
				"Yggdrasil"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "c81067e0-9dcb-4e3f-abb0-80126519c5b6",
			"created_at": "2022-10-25T15:50:23.285448Z",
			"updated_at": "2026-04-10T02:00:05.282202Z",
			"deleted_at": null,
			"main_name": "Patchwork",
			"aliases": [
				"Hangover Group",
				"Dropping Elephant",
				"Chinastrats",
				"Operation Hangover"
			],
			"source_name": "MITRE:Patchwork",
			"tools": [
				"NDiskMonitor",
				"QuasarRAT",
				"BackConfig",
				"TINYTYPHON",
				"AutoIt backdoor",
				"PowerSploit",
				"BADNEWS",
				"Unknown Logger"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434115,
	"ts_updated_at": 1775826718,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d5acfc4dea73523c35e20e5acc7d293b58b54f1d.pdf",
		"text": "https://archive.orkl.eu/d5acfc4dea73523c35e20e5acc7d293b58b54f1d.txt",
		"img": "https://archive.orkl.eu/d5acfc4dea73523c35e20e5acc7d293b58b54f1d.jpg"
	}
}