Godfather has attacked around 400 banks and several cryptocurrency exchange applications
It is an Android banking virus that has targeted users in 16 countries. It has stolen account information for over 400 online financial companies and cryptocurrency exchanges.
How does this virus work?
This virus relies on trickery. It produces login screens overlay on top of the banking and cryptocurrency exchange applications login forms. When victims attempt to log in to the website, they enter their credentials on well-crafted HTML phishing sites.
Group-IB investigators uncovered the Godfather virus. They believe it is the heir of Anubis. A once-popular banking malware that progressively faded out of usage owing to its inability to circumvent modern Android protections.
In addition, Cyble issued a study yesterday revealing an increase in Godfather activity. It was promoting an app that replicates a popular music tool in Turkey. As of now, the mobile app has been downloaded 10 million times on Google Play.
Godfather is targeting international banks
Group-IB uncovered a limited circulation of the virus through Google Play Store apps. However, the primary distribution routes are not located yet. Therefore, the initial infection mechanism remains unclear.
Almost half of all Godfather-targeted applications, 215, are banking apps, with the majority of them located in the United States (49), Turkey (31), Spain (30), Canada (22), France (20), Germany (19), and the United Kingdom (UK) (17).
Godfather intends to target 110 bitcoin exchange platforms and 94 cryptocurrency wallet web applications in addition to banking apps.
The trojan is programmed to check the system language. However, if it is set to Russian, Azerbaijani, Armenian, Belarusian, Kazakh, Kyrgyz, Moldovan, Uzbek, or Tajik, it stops running. This is substantial evidence that the writers of Godfather speak Russian and may live in the CIS region.
The Godfather
Godfather was founded by ThreatFabric in March 2021, although it has since undergone major code modifications and enhancements.
Once installed on the device, the Godfather imitates ‘Google Protect,’ a common security tool on all Android handsets. The infection even pretends to be a scanning application on the device.
The purpose of this scan is to seek Accessibility Service access from what looks to be a valid tool. Once the victim confirms the request, the virus has all the rights it requires to carry out destructive actions.
Access to SMS texts and alerts, screen recording, contacts, making calls, writing to external storage, and checking device status are all included.
Furthermore, the Accessibility Service is exploited to prevent the user from deleting the trojan. The trojan also obtains access to Google Authenticator OTPs, executes instructions, and steals the contents of PIN and password fields.
Godfather steals a list of installed applications in order to obtain fake HTML login forms to steal credentials from the C2 server.
IB Group claims that online fakes imitate the login pages for real apps. All data submitted into the fake HTML pages, such as usernames and passwords, is sent to command-and-control servers.
What makes it so dangerous?
The virus generates phony alerts from installed apps on the victim’s device to avoid having to wait for the target app to start. This way when the victim logins it redirects the user to the phishing page.
Godfather has screen recording skills to collect the credentials provided by the victim for apps that are not on the list.
Furthermore, the virus receives the following commands from the C2 and executes them with administrator rights on the device:
startUSSD – Execute a USSD request (not processed in later malware versions)
sendSMS – Send SMS from an infected device.
startApp – Launch an app specified by the C2
cachecleaner – Clear the app cache for any app defined by the C2
startApp – Launch an app specified by the C2 Most likely for spreading. The newest version does not include this feature.
startforward/stopforward – Enable/disable call forwarding to a number given by the C2
startsocks5/stopsocks5 – Enable/disable a SOCKS5 proxy killbot
startPush – Display pushes notifications that, when clicked, open a false web page (phishing).
Aside from the aforementioned functionality, the trojan includes modules that allow it to perform actions such as keylogging, launching a VNC server, and recording the screen. It can also lock the screen, exfiltrate and block notifications, enable silent mode, establish a WebSocket connection, and dim the screen.
What is the link between Godfather to Anubis?
The source code for Anubis was published in 2019. Godfather can be a new project from the same developers, or a new virus built by a different organization.
There are some similarities between Anubis and Godfather. For example, both can receive the C2 address, process and implement C2 instructions, fake web module, proxy module, and screen capture module.
Godfather has dropped Anubis’ file encryption, audio recording, and GPS tracking components for a VNC module. It has a new communication protocol and traffic encryption technique, and a mechanism for stealing Google Authenticator passwords.
Overall, Godfather is a feature-rich, deadly trojan. It appears to be built on proven Anubis malware code that targets a wide range of applications and Android users worldwide.
Protection tips against Godfather
To defend yourself from this attack,
- only download apps from Google Play
- keep your device up to date,
- use an antivirus program
- activate Play Protect
- keep the number of loaded apps to a minimum.
