Android banking Trojan known as godfather is used to target users of over 400 banking and cryptocurrency apps across 16 countries.
This includes 215 banks, 94 crypto wallet providers, and 110 crypto exchange platforms serving users in the United States, Turkey, Spain, Italy, Canada, Canada, and more. .
This malware, like many financial Trojans targeting the Android ecosystem, steals user credentials by generating a compelling overlay screen (a.k.a. webfake) that appears on top of the target application. trying to steal
First detected by Group IB in June 2021, Open to the public Created by ThreatFabric in March 2022, GodFather contains a native backdoor that can exploit Android’s accessibility APIs to record videos, log keystrokes, capture screenshots, and collect SMS and call logs. It also has built-in functionality.
Analysis of this malware by Group-IB reveals that it is the successor to another banking Trojan, Anubis, whose source code was leaked on an underground forum in January 2019. This malware is also said to be distributed to other threat actors through malware. Service as a Service (MaaS) model.
The similarities between the two malware families extend to how they receive command and control (C2) addresses, C2 command implementations, web fakes, proxies, and screen capture modules. However, voice recording and location tracking features have been removed.
“Interestingly, Godfather spares users in post-Soviet countries,” said Group-IB. “If a potential victim’s system settings include any of the local languages, the Trojan will shut down. This suggests that GodFather’s developer is a Russian speaker. may have.”
What makes GodFather stand out is the fact that he obtains the command and control (C2) server address by decrypting the description of the actor-controlled Telegram channel encoded using the Blowfish cipher.
Although the exact technique employed to infect user devices is unknown, examination of the threat actor’s command and control (C2) infrastructure suggests that trojanized dropper apps are a potential distribution vector. revealed as one.
This is based on a C2 address linked to an app named Currency Converter Plus (com.plus.currencyconverter) hosted on the Google Play store as of June 2022. The application in question is no longer available for download.
Another artifact Group-IB investigated impersonated the legitimate Google Play Protect service, created a continuous notification on startup, and hid its icon from the list of installed applications.
This finding comes after Cyble discovered a number of GodFather samples masquerading as the MYT Müzik app targeting users in Turkey.
GodFather is not the only Android malware based on Anubis. Earlier this July, ThreatFabric revealed what is known as a modified version of Anubis. falcon Targeted Russian users by impersonating the state-owned VTB bank.
Group-IB researcher Artem Grischenko said:
“With tools like GodFather, threat actors are only limited by their ability to create compelling web spoofs for specific applications. Sometimes the sequel is better than the original. ”