A dangerous mobile banking trojan has been discovered targeting users of over 400 banking, crypto wallet, and crypto exchange apps. The malware dubbed GodFather has been active since at least June 2021.
GodFather trojan
According to researchers, GodFather could be a successor of another banking trojan, named Anubis. The source code of Anubis was leaked in January 2019 on an underground hacking forum.
- Different attackers promoted GodfFather via malware-as-a-service platforms and hidden inside apps on Google Play. These apps seem legitimate and include a payload that is presented to the viewer as a secure app protected via Google Protect.
- Whenever a victim interacts with a fake notification or opens one of these apps, it shows a fake web overlay. It starts stealing usernames/passwords, along with 2FA codes.
- It steals user credentials by creating fake, overlay screens or web fakes via the targeted apps. It retrieves C&C server addresses by decrypting a Telegram channel description, encoded via Blowfish cipher.
Targets
- In a recent attack, around 215 banks, 110 crypto exchanges, and 94 crypto wallet providers were targeted by GodFather.
- The main targets are located in the U.S., Italy, Spain, Turkey, France, Canada, Germany, and the U.K.
- If the target’s system preferences contain one of the languages in the post-Soviet states, it shuts down.
Conclusion
Android trojan operators keep coming up with new tricks and updates. One of the recent examples of this is Godfather that is damaging to the users of the banking sector.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/1b85_shutterstock_1170826771.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/061e_shutterstock_2064996329_1.jpg)
