GodFather Android banking malware steals bank details

January 12, 2023 - TuxCare PR Team

Researchers at Cyble Research & Intelligence Labs (CRIL) have discovered GodFather malware, a new version of the Android banking Trojan.

This malware has infiltrated over 400 cryptocurrency and banking apps in 16 countries. Group-IB discovered the Trojan in June 2021, and ThreatFabric made the information public in March 2022.

It can appear as the login screen on top of the app login forums for banking and cryptocurrency exchange websites. When a user enters his or her credentials, the information is sent to the hackers rather than the official website.

In 16 countries, the Android malware targets online banking pages and cryptocurrency exchanges. It displays bogus login screens over legitimate applications. GodFather is used by threat actors to steal account credentials. GodFather can also steal SMSs, device information, and other data.

It has targeted 215 banking apps, the majority of which are located in the United States (49), Turkey (31), Spain (30), Canada (22), France (20), Germany (19), and the United Kingdom (UK) (17). The Godfather malware also targets 110 cryptocurrency exchange platforms and 94 cryptocurrency wallet apps.

The malware is distributed to various threat actors via malware-as-a-service platforms and is hidden within Google Play apps. These apps appear to be legitimate; however, they contain a payload disguised to appear to be protected by Google Protect. When a victim interacts with a bogus notification or attempts to launch one of these apps, the malware displays a bogus web overlay and begins stealing usernames and passwords, as well as SMS-based 2FA codes.

Once installed on a victim’s device, GodFather begins a series of typical banking Trojan behaviors, including stealing banking and crypto-exchange credentials, according to the researchers. However, it also steals sensitive data such as SMSs, basic device details including data from installed applications, and the device’s phone number, and it can carry out a variety of nefarious actions in the background.

To avoid detection by antivirus software, the analyzed GodFather samples are encrypted using custom encryption techniques. When the security researchers installed this app on a test device, they noticed that it has an icon and a name that are similar to those of a legitimate app called MYT Music. This legitimate app is available on Google Play and has received over 10 million downloads.

GodFather also displays bogus login pages for legitimate baking and cryptocurrency exchange applications. These phishing pages are used to steal passwords like login information like usernames, customer IDs, passwords, etc. GodFather is targeting over 200 banking apps, over 100 cryptocurrency exchange platforms, and 94 cryptocurrency wallet apps.

GodFather searches the list of apps on the victim’s device for matching fake login forms. If the victim has banking or cryptocurrency exchange apps that are not on the GodFather’s list, the malware will record the screen in order to capture the entered login credentials.

The sources for this piece include an article in HackRead.

Summary