The Godfather Banking Trojan masquerades as a legitimate Google Play app
A type of Android malware that has been targeting banking users worldwide since March has resurfaced using advanced obfuscation methods, masquerading as a legitimate application on the Google Play Store with more than 10 million downloads, researchers have found.
Godfather is a banking Trojan best known for targeting bank users in European countries, but its latest activity shows an increased sophistication in its ability to fly under the radar of common malware detection methods, say researchers from Cyble Research & Intelligence Labs (CRIL ) said in a Dec. 20 blog post.
Once successfully installed on a victim’s device, Godfather initiates a number of typical Trojan banking behaviors, including stealing banking and crypto exchange credentials, the researchers said. But it also steals sensitive data such as SMSes, basic device details – including data from installed applications – and the device’s phone number, and it can perform a variety of cruel actions silently in the background.
“Apart from these, it can also control the device screen using VNC [virtual network computing]forward incoming calls from the victim’s device and inject banking URLs,” the Cyble researchers wrote.
The latest sample of Godfather that the researchers discovered was encrypted using custom encryption techniques that could evade detection by common antivirus products — a new tactic for malware threat actors, the researchers said.
Targeting businesses and consumers
Upon further investigation, the researchers found that the malware used an icon and name similar to the legitimate Google Play app MYT Music, which has already recorded more than 10 million downloads. In fact, threat actors often hide malware on Google Play, despite Google’s best efforts in recent years to keep bad apps out of the store before users are affected.
MYT Music was written in the Turkish language, so researchers assume that the Godfather sample they discovered is targeting Android users in Turkey. However, they suspect that other versions of the malware continue to be active and target banking users worldwide.
Although banking Trojans tend to affect consumers more than businesses, business users are still at risk because they use their mobile devices at work and may even have business apps and data stored on their devices. For this reason, business users should be especially careful about downloading apps from the Internet or opening links received via SMS or email delivered to a mobile phone, the researchers said.
Google Play has removed the app, but those who have it installed are still at risk.
How Godfather pulls the victims’ strings
Once installed on an Android device, Godfather requests 23 different permissions from the device, and abuses a number of them to gain access to a user’s contacts and the state of the device, as well as information related to the user account. It can also write or delete files in external storage and disable the key lock and any associated password security, the Cyble researchers said.
Godfather can successfully transfer funds from a hacked device through its ability to initiate phone calls through Unstructured Supplementary Service Data (USSD) that do not require the use of the caller’s user interface, thus not requiring the user to confirm the call, they said.
The malware also extracts sensitive user data from the device – including application key logs – which can be sent back to a command-and-control (C2) server, which also sends the Godfather a command that forwards all incoming calls received by the victim to a number provided by the threat actor, the researchers said.
Godfather then harvests credentials: It creates an overlay window in the OnAccessibilityEvent method and injects HTML phishing pages via a separate command from C2, whose server URL is from a Telegram channel, hxxps://t[.]me/varezotukomirza, the researchers said.
Once it has completed its malicious activity, Godfather receives a “killbot” command from C2 to self-terminate, they added.
Avoid getting hit by the Godfather
The most common way to avoid downloading mobile app malware is to download and install software only from official app stores like Google Play or Apple, is the conventional wisdom.
But as this case proves, malware can lurk in official app stores as well, so “practicing basic cyber hygiene across mobile devices and online banking applications effectively prevents such malware from compromising your devices,” the researchers noted in the post, including using a reputable anti-virus and Internet security software suite on connected devices to ensure that anything downloaded is free of malware.
Also, advanced anti-detection methods used by the Godfather threat actors can make it difficult to download what appear to be legitimate apps, they said. To further protect themselves, users can use strong passwords and enforce multi-factor authentication on devices where possible, making it harder for threat actors to break into their accounts.
Android device users should also ensure that Google Play Protect is enabled on their devices for additional security protection, the Cyble researchers added.
All mobile device users should also enable biometric security features such as fingerprint or facial recognition to unlock the mobile device and use apps, where possible, and be especially careful when enabling permissions on devices, especially if an app is not verified by a reputable vendor. they added.