Godfather Android Trojan Targeted Over 400 Banks and Crypto Services

Godfather targeted more than 400 organizations from 16 countries, including banks, crypto wallets, and crypto exchanges.

December 22, 2022

An Android trojan has resurfaced and has targeted over 400 financial companies between June 2021 and October 2022. According to researchers at Group-IB, the Godfather banking trojan is the successor to Anubis.

As of October 2022, Godfather had targeted more than 400 organizations from 16 countries, including 215 banks, 94 crypto wallets, and 110 crypto exchanges. Targeted organizations are based in the U.S., Turkey, Spain, Canada, Germany, France, and the UK, while countries from the Soviet-era region are spared.

“If the potential victim’s system preferences include one of the languages in that region, the Trojan shuts down. This could suggest that GodFather’s developers are Russian speakers,” Group-IB noted. Languages that Godfather excludes from attacking are Russian, Azerbaijani, Armenian, Belarusian, Kazakh, Kyrgyz, Moldovan, Uzbek, and Tajik.

Godfather is a banking trojan designed to steal banking and cryptocurrency exchange credentials. It goes beyond Anubis’ capabilities, which is retired from use owing to security upgrades in the Android ecosystem. Malicious operations using Godfather were dormant for a while in mid-2022. Group-IB assessed that this was when it received updates.

Godfather shares its codebase with Anubis (leaked in 2019). Still, unlike the latter, the former is equipped with command-and-control (C2) communication upgrades, a modified traffic encryption algorithm, Google Authenticator OTPs, and a new module for managing virtual network computing (VNC) connections.

The trojan can also record the target screen, launch keyloggers, circumvent two-factor notifications by exfiltrating push notifications and through call forwarding, execute USSD requests, launch proxy servers, send SMS from infected devices, and establish WebSocket connections.

See More: Leaked Samsung, MediaTek And LG Certificates Used to Hack Into Android Devices

Godfather can also push fake notifications onto the infected device. In infected Android applications, the malware displays fake HTML pages overlayed on legitimate applications. “The fake pages that Godfather can overlay on infected devices appear after users click on decoy notifications or open legitimate apps targeted by Godfather,” Grop-IB explained.

One such app trojanized with Godfather mimics MYT Müzik, a popular music app in Turkey with 10 million downloads, reported CybleOpens a new window . The malicious app features the same logo and name as the legitimate one.

However, Godfather doesn’t have file encryption and cannot record audio or receive GPS information like Anubis.

Researchers believe Godfather is distributed through malicious downloader applications hosted on Google Play. Launching the malware gives the user the impression that Google Play Protect is running, but this is actually just an emulation.

Instead, the malware achieves persistence, requests for AccessibilityService (leveraged by users with disabilities), creates a pinned notification and hides its icon from the list of installed applications. 

“By imitating Google Protect, Godfather can easily go undetected on infected devices. Unwitting users believe they are being protected by an Android service, but in fact, the malicious actors gain access to their banking and financial portal accounts,” Group-IB added.

“While Group-IB does not have definitive data on the amount of money stolen by operators of Godfather, the methods harnessed by malicious actors are cause for concern.”

Let us know if you enjoyed reading this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!

Image source: Shutterstock

MORE ON CYBERSECURITY

Sumeet Wadhwani
Sumeet Wadhwani

Asst. Editor, Spiceworks Ziff Davis

An earnest copywriter at heart, Sumeet is what you'd call a jack of all trades, rather techs. A self-proclaimed 'half-engineer', he dropped out of Computer Engineering to answer his creative calling pertaining to all things digital. He now writes what techies engineer. As a technology editor and writer for News and Feature articles on Spiceworks (formerly Toolbox), Sumeet covers a broad range of topics from cybersecurity, cloud, AI, emerging tech innovation, hardware, semiconductors, et al. Sumeet compounds his geopolitical interests with cartophilia and antiquarianism, not to mention the economics of current world affairs. He bleeds Blue for Chelsea and Team India! To share quotes or your inputs for stories, please get in touch on sumeet_wadhwani@swzd.com
Take me to Community
Do you still have questions? Head over to the Spiceworks Community to find answers.