GodFather Android Banking Trojan Targeting Users of Over 400 Banking and Crypto Apps
An Android banking trojan known as godfather is used to target users of more than 400 banking and cryptocurrency applications spanning 16 countries.
These include 215 banks, 94 crypto wallet providers and 110 crypto exchange platforms serving users in the US, Turkey, Spain, Italy, Canada and Canada, among others, Singapore-headquartered Group-IB said in a report that was shared with The Hacker News.
The malware, like many financial trojans targeting the Android ecosystem, seeks to steal user credentials by generating convincing overlay screens (aka web spoofs) served on top of target apps.
First detected by Group-IB in June 2021 and made public by ThreatFabric in March 2022, GodFather also packs native backdoor features that allow it to abuse Android’s Accessibility APIs to record videos, record keystrokes, take screenshots, and harvest SMS and call logs.
Group-IB’s analysis of the malware revealed that it is a successor to Anubis, another banking trojan that had its source code leaked in an underground forum in January 2019. a-service (MaaS) model.
The similarities between the two malware families extend to the method of receiving the command and control (C2) address, implementation of C2 commands, and the web fake, proxy, and screen recording modules. However, audio recording and location tracking features have been removed.
“Interestingly, GodFather spares users in post-Soviet countries,” Group-IB said. “If the potential victim’s system preferences include one of the languages in that region, the Trojan shuts down. This may indicate that GodFather’s developers are Russian speakers.”
What makes GodFather stand out is the fact that it recovers its command-and-control (C2) server address by decrypting actor-controlled Telegram channel descriptions encoded using the Blowfish cipher.
The exact modus operandi used to infect user devices is not known, although an examination of the threat actor’s command-and-control (C2) infrastructure reveals trojanized dropper applications as one potential distribution vector.
This is based on a C2 address linked to an app called Currency Converter Plus (com.plus.currencyconverter) that was offered on the Google Play Store as of June 2022. The app in question is no longer available for download.
Another artifact investigated by Group-IB impersonates the legitimate Google Play Protect service which, when launched, creates an ongoing notification and hides its icon from the list of installed applications.
The findings come as Cyble discovered a number of GodFather samples purported to be the MYT Müzik app aimed at users in Turkey.
GodFather is not the only Android malware based on Anubis. Earlier this July, ThreatFabric revealed that a modified version of Anubis known as Falcon Russian users targeted by impersonating state-owned VTB Bank.
“The emergence of GodFather highlights the ability of threat actors to edit and update their tools to maintain their effectiveness, despite efforts by malware detection and prevention vendors to update their products,” said Artem Grischenko, researcher at Group-IB, said.
“With a tool like GodFather, threat actors are limited only by their ability to create convincing web spoofs for a specific application. Sometimes the sequel really can be better than the original.”
