Over 400 financial companies have been targeted by an Android trojan in the last year. According to researchers at Group-IB, the successor to Anubis is a banking trojan called the “Godfather”.
More than 400 organizations from 16 countries, including 215 banks, were targeted by the company. Targeted organizations are based in the U.S., Turkey, Spain, Canada, Germany, France, and the UK.
If one of the languages in the region is included in the potential victim’s system preferences, the Trojan shuts down. The developers of GodFather may be Russian speakers, according to Group-IB. Russian, as well as other languages, are not included in the list of languages that can not be attacked.
The banking trojan is designed to steal banking and cryptocurrencies exchange credentials. It goes beyond the capabilities that were retired from use due to security upgrades. Malicious operations were not active for a while. Group-IB thought that this was when it received the updates.
There is a leaked version of the codebase of the Godfather. The latter is equipped with command-and-control (C2) communication upgrades, a modified traffic cipher, and a new module for managing virtual network computing connections.
The trojan can record the target screen, launch keyloggers, circumvent two-factor notifications by exfoliating push notifications, execute USSD requests, launch proxy server, and establish WebSocket connections.
The leaked certificates were used to hack into the devices.
There are fake notifications that can be pushed on the device. The fake pages are displayed in infections of legitimate applications. After users click on decoy notifications or open legitimate apps, fake pages that are created by Godfather appear on infections.
MyT Mzik, a popular music app in Turkey with 10 million downloads, is mimicked by one such app. The legitimate app has the same logo and name that the malicious one has.
It is not possible to record audio or receive gps information in Godfather.
There are malicious applications hosted on the Play store that may be behind the distribution of Godfather. Launching the software gives the impression that it’s running, but it’s actually an imitation.
The malware hides its icon from the list of installed applications, as well as achieving persistence, requests for accessibility service, creates a pinned notification, and hides its icon from the list of installed applications.
It’s easy to go undetected on infected devices if you imitate Google Protect. The malicious actors gain access to their banking and financial portal accounts whenwitting users believe they are being protected by anAndroid service.
The methods harnessed by malicious actors are cause for concern and Group-IB does not have definitive data on the amount of money stolen by operators of Godfather.
Let us know if you enjoyed reading this news on social media. We’d love to hear from you!
This image is from Shutterstock.
