Android trojan targets over 400 apps, including crypto and fintech
Singapore-based research Group-IB describes the Godfather monster malware used to target more than 400 fintech applications, crypto exchanges, and wallets in over 16 countries.
In a detailed report, Group-IB demonstrates that hackers can steal login information for online banking and other financial services using the Godfather malware, enabling them to empty victims’ accounts. The financial institutions in the United Kingdom are the worst hit among the 400 victims, with attacks occurring within the last three months.
Per Group-IB, half of the targets were financial institutions. 17 were located in the UK, 49 in the US, 31 in Turkey, and 30 in Spain. The remaining victims are in Canada, France, Germany, Italy, and Poland.
Godfather trojan: how it works
The Android banking Trojan is a renewed successor of Anubis, which also caused a lot of damage to the ecosystem in 2019. The similarities between these two malware are their methods of obtaining the C2 address, carrying out C2 commands, and using the modules for screen capture, proxy, and web spoofing. However, the ability to record audio, track your location, and bypass 2-factor authentication is only available on the Godfather malware.
The Godfather malware is hidden in Android applications featured on Play Store. The payload’s malicious code is disguised to resemble Google Protect. This service scans apps for possibly hazardous behaviors. After being launched by a user, the malware imitates a genuine Google program. An animation shows “Google protect,” but there is none.
Upon installing the vector app from Play Store, the malware permissions itself into the victim’s system. It establishes contact with its commands and control server, sending all the victim’s data. The targets may only notice these developments once they lose funds and find it hard to withdraw or disable the permissioned application.
Artem Grischenko, the junior malware analyst at Group-IB, said that the ties between Godfather and Annubis indicate that cybercriminals are growing in sophistication. There is a need for developers and managers to update their infrastructure because whoever is behind the Godfather trojan can still do more.
The conclusive part of the research also shows that countries with ties to the defunct soviet union are entirely missing from the list and rank of victims. A line of code in the trojan reportedly shutdowns operations once it notices Russian, Moldovan, Kyrgyz, Azerbaijani, Kazakh, Armenian, Tajik or Uzbek languages. The researchers are insinuating the possibility of a cyber war.
