Multiple cybersecurity firms have confirmed the existence of Godfather, an Android banking malware that has been detected targeting victims’ bank accounts and cryptocurrencies.
Experts from Group-IB, ThreatFabric and Cyble recently reported on Godfather, its goals and methodologies, where malware tries to steal login details by overlaying legitimate banking and cryptocurrency applications (exchanges, wallets and similar).
The group found that The Godfather has targeted more than 400 different entities, most of which are located in the US (49), Turkey (31), Spain (30), Canada (22), France (20), Germany (19), and the UK (17).
Multiple infection vectors
Moreover, the malware analyzes the infected endpoint and if it determines that the language of the device is Russian, Azerbaijani, Armenian, Belarusian, Kazakh, Kyrgyz, Moldovan, Uzbek or Tajik, it terminates the entire operation – leading some researchers to believe that cybercriminals are of Russian origin.
The exact number of infected devices is impossible to determine, because the Play Store is not the only infection vector. In fact, the malware has had relatively limited distribution via Google’s app repository, and the main distribution channels have yet to be discovered. Thanks to Cyble’s research, we know that one of the malicious apps has more than 10 million downloads.
However, when a victim downloads malware, they first need to grant it permissions, so in some cases it imitates “Google Protect” and requests access to an accessibility service. If the victim delivers, the malware hijacks texts and notifications, starts screen recording, exfiltrates contacts and call lists, and more.
Once the accessibility service is enabled, the malware becomes even more difficult to eliminate and allows cybercriminals to exfiltrate Google Authentication one-time passwords.
The researchers also said that the malware has additional modules that can be added giving it additional functionality such as running a VNC server, enabling silent mode, establishing a WebSocket connection, or dimming the screen.
By: Beeping Computer (opens in a new tab)