December 21, 2022Rabbi LakshmananMobile Security/Banking Trojans

Android banking Trojan known as godfather is used to target users of over 400 banking and cryptocurrency apps across 16 countries.

This includes 215 banks, 94 crypto wallet providers, and 110 crypto exchange platforms serving users in the United States, Turkey, Spain, Italy, Canada, and Canada. Said In a report shared with The Hacker News.

This malware, like many financial Trojans targeting the Android ecosystem, steals user credentials by generating a compelling overlay screen (a.k.a. webfake) that appears on top of the target application. trying to steal

cyber security

First detected by Group IB in June 2021, Open to the public Created by ThreatFabric in March 2022, GodFather contains a native backdoor that can exploit Android’s accessibility APIs to record videos, log keystrokes, capture screenshots, and collect SMS and call logs. It also has built-in functionality.

Android banking Trojan

Analysis of the malware by Group-IB reveals it to be the successor to the malware. Anubisis another banking Trojan whose source code was leaked on an underground forum in January 2019. It is also said to be distributed to other attackers via a malware-as-a-service (MaaS) model.

The similarities between the two malware families extend to how they receive command and control (C2) addresses, C2 command implementations, web fakes, proxies, and screen capture modules. However, voice recording and location tracking features have been removed.

“Interestingly, Godfather spares users in post-Soviet countries,” said Group-IB. “If a potential victim’s system settings include any of the local languages, the Trojan will shut down. This suggests that GodFather’s developer is a Russian speaker. may have.”

What makes GodFather stand out is the fact that it obtains command and control (C2) server addresses by encrypting and decrypting descriptions of Telegram channels controlled by the attackers. blowfish code.

Android banking Trojan

Although the exact technique employed to infect user devices is unknown, examination of the threat actor’s command and control (C2) infrastructure suggests that trojanized dropper apps are a potential distribution vector. revealed as one.

This is based on a C2 address linked to an app named Currency Converter Plus ( hosted on the Google Play store as of June 2022. The application in question is no longer available for download.

Another artifact investigated by Group-IB masquerades as legitimate Google Play Protect Services to create at startup continuous notification Hides its icon from the list of installed applications.

Findings come as Cyble discovered Numerous GodFather samples masquerading as the MYT Müzik app targeting users in Turkey.

GodFather is not the only Android malware based on Anubis. Earlier this July, ThreatFabric revealed what was known as a modified version of Anubis. falcon Targeted Russian users by impersonating the state-owned VTB bank.

Group-IB researcher Artem Grischenko said:

“With tools like GodFather, threat actors are only limited by their ability to create compelling web spoofs for specific applications. Sometimes the sequel is better than the original. “

Did you find this article interesting?Please follow us twitter When LinkedIn To read more exclusive content that we post.



Register now for our membership to gain access to our elite training program and fast forward your career today!


Subscribe my Newsletter for new blog posts, tips & new photos. Let's stay updated!

Security Blog

Blue Training Academy

Blue Training Academy was developed in 2018 as a educational and training facility for continuing education and certification courses. Blue Training Academy is an educational institution that allows for all sectors of the public and Criminal Justice field to gain ongoing training and education.

Copyright ©️ All rights reserved. | Blue Training Academy Blog