Godfather malware makes banking apps an offer they can’t refuse

Crooks are using an Android banking Trojan dubbed Godfather to steal from banking and cryptocurrency exchange app users in 16 countries, according to Group-IB security researchers

The security firm first detected Godfather in June 2021 and as of October, the credential-stealing malware has targeted the users of more than 400 applications. This includes 215 international banks, 94 cryptocurrency wallets, and 110 crypto exchange platforms in the US, Turkey, Spain, Canada, Germany, France and the UK.  

Additionally, the malware's code has an interesting functionality that stops it from attacking Russian-speaking users or those that speak a handful of other languages used in the former Soviet Union including Azerbaijani, Armenian, Belarusian, Kazakh, Kyrgyz, Moldovan, Uzbek, or Tajik.

This "could suggest that the developers of Godfather are Russian speaking," Group-IB wrote.

After stealing users' credentials and bypassing two-factor authentication, the criminals access the victims' bank accounts and crypto wallets, and then drain their funds.

Godfather is essentially an updated version of the Anubis banking Trojan, according to the security researchers, who found that both share the same code base. 

In addition to improving the command and control communication protocol and capabilities, "Godfather's developers also modified Anubis' traffic encryption algorithm, updated several functionalities such as Google Authenticator OTPs, and added a separate module for managing virtual network computing connections," they wrote.

Even after appearing on the malware scene in June 2021, Godfather stopped circulating about a year later, which the infosec analysts believe was related to another software update. It reappeared in September, with a modified WebSocket functionality as well as a malware-as-a-service version being sold on Telegram.

The security researchers say they don't know exactly how Godfather infects devices. However, after analyzing the Trojan's network infrastructure, they discovered a domain whose command-and-control address belonged to an Android app. 

"While Group-IB was unable to obtain the payload, analysts believe that a malicious application hosted on the Google Play Store contained the Godfather Trojan," they wrote.

• Legit Android apps poisoned by sticky 'Zombinder' malware
• Good news, URSNIF no longer a banking trojan. Bad news, it's now a backdoor
• French-speaking voleurs stole $30m in 15-country bank, telecoms cyber-heist spree
• Financial authorities fine UK bank nearly $60m for platform migration disaster

Once downloaded onto a mobile device, the code imitates Google Protect to establish persistence and access AccessibilityService, another legitimate Android tool used by developers to modify their apps for users with disabilities. This also gives Godfather the needed permissions to communicate with the C&C server.

And like other banking Trojans, the malware uses web fakes — phony web pages that display over legitimate applications — that allow the criminals to steal user credentials. The web fakes mimic legitimate login pages for the banking apps, so when users enter their name and password, they are entering that private information into a threat-actor controlled website. 

In addition to exfiltrating users' credentials, Godfather also sends push notifications to harvest users' two-factor authentication codes. Once they've stolen users' credentials and codes, they can steal all the funds from the banking accounts or crypto wallets.

"While Group-IB does not have definitive data on the amount of money stolen by operators of Godfather," the report noted, "the methods harnessed by malicious actors are cause for concern." ®