GodFather is a new Android banking trojan that is currently targeting unsuspecting users of over 400 banking, crypto wallet, and exchange apps worldwide.
The cyber security researchers at Group-IB have shared details of a dangerous mobile banking trojan targeting banking apps, crypto exchanges, and cryptocurrency wallets since at least June 2021.
What is GodFather?
Dubbed “GodFather” by Group-IB, this malware has targeted users of over 400 cryptocurrency and banking apps across 16 nations. Group-IB detected the Trojan in June 2021, while the information was disclosed publicly by ThreatFabric in March 2022.
Researchers believe that GodFather could be a successor of another banking trojan called Anubis, which had its source code leaked in January 2019 on an underground hacking forum.
How Is it Delivered?
The malware is delivered to different threat actors via malware-as-a-service platforms and is hidden inside apps available on Google Play. These apps appear legitimate; however, in reality, they contain a payload made to look as if it is secured through Google Protect.
When a victim interacts with a fake notification or attempts to open one of these apps, the malware displays a fake web overlay that starts stealing usernames and passwords, along with SMS-based 2FA codes.
What are GodFather Capabilities?
The malware steals user credentials by creating fake, yet overlay screens or web fakes through the targeted apps. Due to its backdoor capabilities, GodFather can abuse Android systems’ Accessibility APIs, log keystrokes, record videos, steal call logs and SMS, and capture screenshots.
Further, it can also launch keyloggers and track the device screen to get its desired information. It is unusual because it retrieves its C&C server address by decrypting a Telegram channel description, controlled by the threat actor and encoded through the popular cipher called Blowfish.
Who are the Targets?
According to Group-IB’s report, in the latest attack spree, around 215 banks, 110 crypto exchanges, and 94 crypto wallet providers have been targeted by the GodFather operators. The prime targets of the GodFather trojan include the following countries:
- United States
- United Kingdom
It is worth noting that the malware did not target post-Soviet countries, which indicates that the attackers could be Russian.
“If the potential victim’s system preferences include one of the languages in that region, the Trojan shuts down. This could suggest that GodFather’s developers are Russian speakers.”Artem Grischenko – Group-IB
- Android malware TeaBot stealing data, intercepting SMS
- BRATA Android malware steals funds, factory resets phones
- Russian Android Malware Tracks GPS Location, Spies on Victims
- TangleBot Android malware hijacks phones, steals login credentials