An Android banking trojan often called GodFather is getting used to focus on customers of greater than 400 banking and cryptocurrency apps spanning throughout 16 international locations.
This contains 215 banks, 94 crypto pockets suppliers, and 110 crypto trade platforms serving customers within the U.S., Turkey, Spain, Italy, Canada, and Canada, amongst others, Singapore-headquartered Group-IB mentioned in a report shared with The Hacker Information.
The malware, like many monetary trojans focusing on the Android ecosystem, makes an attempt to steal person credentials by producing convincing overlay screens (aka net fakes) which can be served atop goal purposes.
First detected by Group-IB in June 2021 and publicly disclosed by ThreatFabric in March 2022, GodFather additionally packs in native backdoor options that enables it to abuse Android’s Accessibility APIs to document movies, log keystrokes, seize screenshots, and harvest SMS and name logs.
Group-IB’s evaluation of the malware has revealed it to be a successor of Anubis, one other banking trojan that had its supply code leaked in an underground discussion board in January 2019. It is also mentioned to be distributed to different risk actors by means of the malware-as-a-service (MaaS) mannequin.
The similarities between the 2 malware households lengthen to the strategy of receiving the command-and-control (C2) handle, implementation of C2 instructions, and the online faux, proxy and display seize modules. Nonetheless, audio recording and site monitoring options have been eliminated.
“Apparently, GodFather spares customers in post-Soviet international locations,” Group-IB mentioned. “If the potential sufferer’s system preferences embody one of many languages in that area, the Trojan shuts down. This might counsel that GodFather’s builders are Russian audio system.”
What makes GodFather stand out is the truth that it retrieves its command-and-control (C2) server handle by decrypting actor-controlled Telegram channel descriptions which can be encoded utilizing the Blowfish cipher.
The precise modus operandi employed to contaminate person units is just not recognized, though an examination of the risk actor’s command-and-control (C2) infrastructure reveals trojanized dropper apps as one potential distribution vector.
That is based mostly on a C2 handle that is linked to an app named Foreign money Converter Plus (com.plus.currencyconverter) that was hosted on the Google Play Retailer as of June 2022. The applying in query is now not obtainable for obtain.
One other artifact examined by Group-IB impersonates the authentic Google Play Shield service that, upon being launched, creates an ongoing notification and hides its icon from the checklist of put in purposes.
The findings come as Cyble found a variety of GodFather samples masquerading because the MYT Müzik app aimed toward customers in Turkey.
GodFather is just not the one Android malware based mostly on Anubis. Earlier this July, ThreatFabric revealed {that a} modified model of Anubis often called Falcon focused Russian customers by impersonating the state-owned VTB Financial institution.
“The emergence of GodFather underscores the power of risk actors to edit and replace their instruments to take care of their effectiveness regardless of efforts by malware detection and prevention suppliers to replace their merchandise,” Group-IB researcher Artem Grischenko mentioned.
“With a software like GodFather, risk actors are restricted solely by their capability to create convincing net fakes for a specific software. Generally, the sequel actually will be higher than the unique.”