According to Group-IB security researchers, crooks are using an Android banking Trojan called Godfather to steal banking and cryptocurrency exchange app users in 16 countries
The security firm first discovered Godfather in June 2021, and since October, the credential-stealing malware has targeted users of more than 400 apps. This includes 215 international banks, 94 cryptocurrency wallets and 110 crypto exchange platforms in the US, Turkey, Spain, Canada, Germany, France and the UK.
Additionally, the malware’s code has an interesting feature that prevents it from targeting Russian-speaking users or users who speak a handful of other languages used in the former Soviet Union, including Azerbaijani, Armenian, Belarusian, Kazakh, Kyrgyz, Moldovan , Uzbek or Tajik .
This “could indicate that Godfather’s developers speak Russian,” wrote Group-IB.
After stealing users’ credentials and bypassing two-factor authentication, the criminals access victims’ bank accounts and crypto wallets and then withdraw their funds.
Godfather is essentially an updated version of the Anubis banking Trojan, according to security researchers, who found that both share the same code base.
In addition to improving the command-and-control communication protocol and capabilities, “Godfather’s developers also modified Anubis’ traffic encryption algorithm, updated several features such as Google Authenticator OTPs, and added a separate module for managing virtual network computing connections,” they wrote you.
Even after surfacing on the malware scene in June 2021, Godfather stopped circulating about a year later, which Infosec analysts believe is linked to another software update. It reappeared in September with modified WebSocket functionality as well as a malware-as-a-service version sold on Telegram.
Security researchers say they don’t know exactly how Godfather infects devices. However, after analyzing the Trojan’s network infrastructure, they discovered a domain whose command and control address belonged to an Android app.
“While Group-IB was unable to obtain the payload, analysts believe a malicious application hosted on the Google Play Store contained the Godfather Trojan,” they wrote.
Once downloaded to a mobile device, the code mimics Google Protect to establish persistence and access AccessibilityService, another legitimate Android tool used by developers to modify their apps for users with disabilities. This also gives Godfather the necessary permissions to communicate with the C&C server.
And like other banking Trojans, the malware uses webfakes – fake websites displayed via legitimate applications – that allow the criminals to steal user data. The web fakes mimic legitimate login pages for the banking apps. So when users enter their name and password, they are entering this private information on an attacker-controlled website.
Besides exfiltrating users’ credentials, Godfather also sends push notifications to collect users’ two-factor authentication codes. Once they steal users’ login credentials and codes, they can steal all funds from the bank accounts or crypto wallets.
“While Group-IB has no definitive data on the amounts of money stolen by Godfather operators,” the report states, “the methods employed by malicious actors are a cause for concern.” ®
https://www.theregister.com/2022/12/22/godfather_banking_trojan/ Godfather makes banking apps an offer they can’t refuse • The Register