S0423: Ginp
Analyst context for executives and security teams
Ginp matters because it represents Android banking-trojan behavior aimed at stealing sensitive user and financial information through mobile-device abuse, not just traditional endpoint compromise. The ATT&CK relationships show a pattern that can combine deceptive prompts, screen capture, SMS access/control, contact/SMS collection, local data access, app discovery, icon hiding, naming masquerade, obfuscation, and analysis-environment checks. For leaders, the practical issue is whether mobile devices used for banking, payments, customer operations, or privileged business access are visible enough to investigate and contain this class of behavior.
Executive priority
Treat Ginp as a mobile-security readiness and fraud-risk use case. The supplied ATT&CK data supports prioritizing Android fleet visibility, mobile application governance, user reporting paths for suspicious prompts or hidden apps, and incident-response procedures for devices that may expose credentials, SMS messages, contacts, or local data. Because MITRE provides no official detection text and no tactics for this object, executives should ask whether current mobile controls produce evidence that can prove coverage, support audit/compliance needs, and guide containment decisions when a banking-trojan-style incident is suspected.
Technical view
For SOC, detection engineering, and IR teams, validate coverage around the Android techniques Ginp is mapped to: obfuscated files or traffic, GUI input capture, installed-application discovery, screen capture, accessibility-based input injection, local data access, SMS control, hidden launcher icon behavior, system/sandbox checks, contact and SMS collection, and matching legitimate application names or locations. Practical validation should focus on whether mobile device management, mobile threat defense, app inventory, permission telemetry, device logs, and user reports can show suspicious permission requests, default SMS-handler changes, use of SMS send/receive capabilities, accessibility abuse indicators, MediaProjection-style screen capture prompts, hidden or misleading apps, and unusual access to contacts/SMS/local storage.
Likely telemetry
- Android app inventory and package metadata, including app name, icon, package name, install source, and launcher visibility
- Mobile-device permission grants and permission-change history for SMS, contacts, accessibility, storage/local data, and screen capture-related capabilities
- Default SMS handler status, SMS send/receive activity, and access to SMS content where legally and operationally collected
- Accessibility service enablement and unusual accessibility-driven UI interaction indicators
- Screen-capture consent prompts or MediaProjection-related application behavior where available
Detection direction
- Start with ATT&CK relationship-driven analytics rather than relying on a Ginp-specific signature, because the official object does not provide detection guidance.
- Correlate multiple behaviors before escalating: suspicious SMS capability plus contact/SMS access, deceptive prompts, hidden icon behavior, or legitimate-name masquerading is more meaningful than a single broad permission request.
- Tune carefully for false positives because legitimate Android applications may request SMS, contacts, accessibility, storage, or screen-capture permissions for valid reasons.
- Validate visibility on personally owned or lightly managed Android devices, as these are common blind spots for mobile telemetry, permission history, and post-incident collection.
- Include anti-analysis and obfuscation signals in triage, but do not treat them alone as proof of Ginp; use them to prioritize deeper mobile malware analysis.
Mitigation priorities
- Prioritize Android mobile-device governance for users handling financial, privileged, or sensitive business workflows.
- Enforce application allowlisting or approved app-store/application-source policies where feasible, and review apps that mimic legitimate names, icons, or package locations.
- Restrict and review high-risk permissions and roles, especially SMS handling, contacts access, accessibility services, storage/local data access, and screen-capture capabilities.
- Ensure mobile incident-response playbooks cover isolation, evidence preservation, credential reset decisions, SMS-based authentication risk, and notification paths for affected business processes.
- Educate users to report unexpected credential/banking prompts, SMS anomalies, requests to enable accessibility services, or apps that disappear from the launcher.
Analyst notes and limits
The official ATT&CK description identifies Ginp as an Android banking trojan used to target Spanish banks and notes that some code was taken from Anubis, with ThreatFabric as the cited source. The decision value for defenders is in the mapped mobile behaviors: credential/PII capture opportunities, SMS and contact exposure, local data collection, evasion through obfuscation and system checks, and persistence/stealth through icon suppression or legitimate-name matching.
MITRE supplies no official detection text, aliases, labels, or tactics for this object. The relationship descriptions are technique-level context and should not be read as proof that every environment will observe every behavior. Local mobile-management coverage, legal constraints on SMS/contact telemetry, device ownership model, and available mobile security tooling determine what can actually be detected or investigated.
Ginp
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1633.001 | System Checks Sub-technique | Ginp can determine if it is running in an emulator.CitationThreatFabric Ginp |
| Mobile | T1636.004 | SMS Messages Sub-technique | Ginp can collect SMS messages.CitationThreatFabric Ginp |
| Mobile | T1516 | Input Injection | Ginp can inject input to make itself the default SMS handler.CitationThreatFabric Ginp |
| Mobile | T1628.001 | Suppress Application Icon Sub-technique | Ginp hides its icon after installation.CitationThreatFabric Ginp |
| Mobile | T1513 | Screen Capture | Ginp can capture device screenshots and stream them back to the C2.CitationThreatFabric Ginp |
| Mobile | T1417.002 | GUI Input Capture Sub-technique | Ginp can use a multi-step phishing overlay to capture banking credentials and then credit card numbers after login.CitationThreatFabric Ginp |
| Mobile | T1655.001 | Match Legitimate Name or Location Sub-technique | Ginp has masqueraded as “Adobe Flash Player” and “Google Play Verificator”.CitationThreatFabric Ginp |
| Mobile | T1418 | Software Discovery | Ginp can obtain a list of installed applications.CitationThreatFabric Ginp |
| Mobile | T1582 | SMS Control | Ginp can send SMS messages.CitationThreatFabric Ginp |
| Mobile | T1533 | Data from Local System | Ginp can download device logs.CitationThreatFabric Ginp |
| Mobile | T1406 | Obfuscated Files or Information | Ginp obfuscates its payload, code, and strings.CitationThreatFabric Ginp |
| Mobile | T1636.003 | Contact List Sub-technique | Ginp can download the device’s contact list.CitationThreatFabric Ginp |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 42d8090fca2e… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
ThreatFabric Ginp
ThreatFabric. (2019, November). Ginp - A malware patchwork borrowing from Anubis. Retrieved April 8, 2020.
Open source URL -
[2]
mitre-attack S0423Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.