Users of hundreds of banking applications, cryptocurrency wallets and crypto-exchanges have been targeted by a prolific mobile banking Trojan since at least June 2021, according to Group-IB.
The Singapore-based security vendor claimed in a new report that, as of October 2022, the Trojan had targeted 215 global banks, 94 cryptocurrency wallets and 110 crypto-exchange platforms.
Most of those firms are in the US, Turkey, Spain, Canada, Germany, France and the UK. Interestingly, none are located in former Soviet countries, hinting that the perpetrators may be Russian.
The malware itself is hidden in legitimate-looking apps on Google Play, with the payload spoofed to appear as if it's Google Protect. It’s based on an old piece of banking Trojan malware known as Anubis, which has been modernized to include a different C&C communication protocol, traffic encryption algorithm and other features.
It also removed some of the old functionality in Anubis including file encryption, recording audio and receiving GPS information, Group-IB said.
When a user interacts with a decoy notification or tries to open one of the legitimate applications targeted by Godfather, the malware shows them a “web fake” overlay, which harvests usernames and passwords, as well as SMS-based two-factor authentication codes.
The malware also has the ability to launch keyloggers and record the victim’s device screen if necessary, to get the same information, the report explained.
Group-IB claimed that intelligence gleaned from a Telegram channel suggests Godfather is being distributed via malware-as-a-service model.
“By imitating Google Protect, Godfather can easily go undetected on infected devices. Unwitting users believe they are being protected by an Android service, but in fact, the malicious actors gain access to their banking and financial portal accounts,” the security vendor concluded.
“While Group-IB does not have definitive data on the amount of money stolen by operators of Godfather, the methods harnessed by malicious actors are cause for concern.”