‘GodFather’ hits banks, crypto wallets apps as Android Trojans emerge
GodFather is a new Android banking trojan currently targeting unsuspecting users of over 400 banking, crypto wallet and exchange apps worldwide.
The cybersecurity researchers at Group-IB have shared details of a dangerous mobile banking trojan targeting banking apps, crypto exchanges and cryptocurrency wallets since at least June 2021.
What is Godfather?
Dubbed “GodFather” by Group-IB, this malware has targeted users of over 400 cryptocurrency and banking apps in 16 nations. Group-IB discovered the Trojan in June 2021, while the information was made public by ThreatFabric in March 2022.
Researchers believe that Godfar may be a successor of another banking trojan called Anubiswhich had its source code leaked in January 2019 on an underground hacking forum.
How will it be delivered?
The malware is delivered to various threat actors via malware-as-a-service platforms and is hidden in apps available on Google Play. These apps seem legitimate; but in reality they contain a payload made to look like it is secured through Google Protect.
When a victim interacts with a fake notification or attempts to open one of these apps, the malware displays a fake web overlay that begins to steal usernames and passwords, along with SMS-based 2FA codes.
What are GodFather abilities?
The malware steals user credentials by creating fake but overlay screens or web spoofs through the targeted apps. Because of its backdoor functionscan GodFather abuse Android systems’ accessibility APIs, log keystrokes, record videos, steal call logs and SMS and take screenshots.
Furthermore, it can also launch keyloggers and track the device’s screen to get the desired information. It is unusual because it derives its C&C server address by decrypting a Telegram channel description, controlled by the threat actor and encoded through the popular cipher called Blowfish.
Who are the targets?
According to Group-IB’s report, in the latest attack, around 215 banks, 110 crypto exchanges and 94 crypto wallet providers have been targeted by the GodFather operators. The main targets of the GodFather Trojan include the following countries:
- United States
- Great Britain
It is worth noting that the malware did not target post-Soviet countries, indicating that the attackers may be Russian.
“If the potential victim’s system preferences include one of the languages in that region, the Trojan shuts down. This may indicate that GodFather’s developers are Russian-speaking.”
Artem Grischenko – Group IB
- Android malware TeaBot steals data, intercepts SMS
- BRATA Android malware steals funds, factory resets phones
- Russian Android malware tracks GPS location, spies on victims
- TangleBot Android malware hijacks phones, steals login credentials