Godfather Android Banking Trojan Steals Through MimicryTrojan Impersonates More Than 400 Financial and Crypto Exchange Apps
A banking Trojan is on a rampage thanks to its ability to mimic the appearance of more than 400 applications, including leading financial and crypto exchange applications, in 16 countries.
Research from security intelligence firm Group-IB says the Trojan, dubbed Godfather, reappeared in September with slightly modified WebSocket functionality after a three-month pause in circulation.
Godfather is an upgraded version of the Anubis banking Trojan, whose code leaked online in 2019 (see: Botnet Watch: Anubis Mobile Malware Gets New Features). Godfather gets around Android security updates limiting Anubis through an updated command-and-control communication protocol. Its operators also removed several functionalities found in Anubis, such as the ability of the Trojan to encrypt files, record audio or parse GPS data. Group-IB researchers aren't entirely sure how Godfather infects devices but suspect one method is malicious apps on the Google Play store.
A signature feature of Godfather is using fake login pages that appear like the real thing to trick unsuspecting users into giving up credentials. Godfather transmits credentials onto the real financial service app while also exfiltrating any push notification one-time passcodes used for second-factor authentication. The object is to gain access to accounts with money and drain them.
The Trojan establishes persistence by emulating a security feature that asks users' permission to scan the device. The scan actually pins a "Google Protect" notification and hides the Trojan's icon from the list of installed applications. It then seeks to obtain access to additional layers of Android functionality by requesting the user approve access to the AccessibilityService, an operating system feature meant to allow developers to adapt apps to users with disabilities.
"With access to AccessibilityService, Godfather issues itself the necessary permissions and starts communicating with the C&C server," Group-IB says.
The cybersecurity firm says that, as of October, Godfather has targeted users of 215 banks, 94 crypto wallet providers and 110 crypto exchange platforms.