Check the status of CVEs. Learn More.
Keeping your systems up 100% of the time requires live patching. Our solutions will align strongly with your risk, compliance, and operational uptime requirements.
TuxCare is trusted by the most innovative companies across the globe.
Learn about TuxCare's modern approach to reducing cybersecurity risk with Blogs, White Papers, and more.
Continually increasing Cybersecurity, stability, and availability of Linux servers and open source software since 2009.
TuxCare provides live security patching for numerous industries. Learn how TuxCare is minimizing risk for companies around the world.
2x a month. No spam.
January 12, 2023 - TuxCare expert team
Researchers at Cyble Research & Intelligence Labs (CRIL) have discovered GodFather malware, a new version of the Android banking Trojan.
This malware has infiltrated over 400 cryptocurrency and banking apps in 16 countries. Group-IB discovered the Trojan in June 2021, and ThreatFabric made the information public in March 2022.
It can appear as the login screen on top of the app login forums for banking and cryptocurrency exchange websites. When a user enters his or her credentials, the information is sent to the hackers rather than the official website.
In 16 countries, the Android malware targets online banking pages and cryptocurrency exchanges. It displays bogus login screens over legitimate applications. GodFather is used by threat actors to steal account credentials. GodFather can also steal SMSs, device information, and other data.
It has targeted 215 banking apps, the majority of which are located in the United States (49), Turkey (31), Spain (30), Canada (22), France (20), Germany (19), and the United Kingdom (UK) (17). The Godfather malware also targets 110 cryptocurrency exchange platforms and 94 cryptocurrency wallet apps.
The malware is distributed to various threat actors via malware-as-a-service platforms and is hidden within Google Play apps. These apps appear to be legitimate; however, they contain a payload disguised to appear to be protected by Google Protect. When a victim interacts with a bogus notification or attempts to launch one of these apps, the malware displays a bogus web overlay and begins stealing usernames and passwords, as well as SMS-based 2FA codes.
Once installed on a victim’s device, GodFather begins a series of typical banking Trojan behaviors, including stealing banking and crypto-exchange credentials, according to the researchers. However, it also steals sensitive data such as SMSs, basic device details including data from installed applications, and the device’s phone number, and it can carry out a variety of nefarious actions in the background.
To avoid detection by antivirus software, the analyzed GodFather samples are encrypted using custom encryption techniques. When the security researchers installed this app on a test device, they noticed that it has an icon and a name that are similar to those of a legitimate app called MYT Music. This legitimate app is available on Google Play and has received over 10 million downloads.
GodFather also displays bogus login pages for legitimate baking and cryptocurrency exchange applications. These phishing pages are used to steal passwords like login information like usernames, customer IDs, passwords, etc. GodFather is targeting over 200 banking apps, over 100 cryptocurrency exchange platforms, and 94 cryptocurrency wallet apps.
GodFather searches the list of apps on the victim’s device for matching fake login forms. If the victim has banking or cryptocurrency exchange apps that are not on the GodFather’s list, the malware will record the screen in order to capture the entered login credentials.
The sources for this piece include an article in HackRead.
Learn About Live Patching with TuxCare
According to CyberArk researchers, GPT-based models like ChatGPT can be...
Malicious hackers have started exploiting a critical vulnerability CVE-2022-44877 in...
Deep Instinct researchers reported that RATs like StrRAT and Ratty...
According to CircleCI’s CTO, Rob Zuber, CircleCI is working with...
A remote attacker could exploit multiple vulnerabilities in four Cisco...
In a notable IcedID malware attack, the assailant impacted the...