Android Banking Trojan

An Android banking trojan known as GodFather is being used to target users of more than 400 banking and cryptocurrency apps spanning across 16 countries.

This includes 215 banks, 94 crypto wallet providers, and 110 crypto exchange platforms serving users in the U.S., Turkey, Spain, Italy, Canada, and Canada, among others, Singapore-headquartered Group-IB said in a report shared with The Hacker News.

The malware, like many financial trojans targeting the Android ecosystem, attempts to steal user credentials by generating convincing overlay screens (aka web fakes) that are served atop target applications.

First detected by Group-IB in June 2021 and publicly disclosed by ThreatFabric in March 2022, GodFather also packs in native backdoor features that allows it to abuse Android's Accessibility APIs to record videos, log keystrokes, capture screenshots, and harvest SMS and call logs.

Android Banking Trojan

Group-IB's analysis of the malware has revealed it to be a successor of Anubis, another banking trojan that had its source code leaked in an underground forum in January 2019. It's also said to be distributed to other threat actors through the malware-as-a-service (MaaS) model.

The similarities between the two malware families extend to the method of receiving the command-and-control (C2) address, implementation of C2 commands, and the web fake, proxy and screen capture modules. However, audio recording and location tracking features have been removed.

"Interestingly, GodFather spares users in post-Soviet countries," Group-IB said. "If the potential victim's system preferences include one of the languages in that region, the Trojan shuts down. This could suggest that GodFather's developers are Russian speakers."

What makes GodFather stand out is the fact that it retrieves its command-and-control (C2) server address by decrypting actor-controlled Telegram channel descriptions that are encoded using the Blowfish cipher.

Android Banking Trojan

The exact modus operandi employed to infect user devices is not known, although an examination of the threat actor's command-and-control (C2) infrastructure reveals trojanized dropper apps as one potential distribution vector.

This is based on a C2 address that's linked to an app named Currency Converter Plus (com.plus.currencyconverter) that was hosted on the Google Play Store as of June 2022. The application in question is no longer available for download.

Another artifact examined by Group-IB impersonates the legitimate Google Play Protect service that, upon being launched, creates an ongoing notification and hides its icon from the list of installed applications.

The findings come as Cyble discovered a number of GodFather samples masquerading as the MYT Müzik app aimed at users in Turkey.

"Google Play Protect checks Android devices with Google Play Services for potentially harmful apps from other sources," a Google spokesperson told The Hacker News. "Users are protected by Google Play Protect, which blocks these identified malicious apps on Android devices."

GodFather is not the only Android malware based on Anubis. Earlier this July, ThreatFabric revealed that a modified version of Anubis known as Falcon targeted Russian users by impersonating the state-owned VTB Bank.

"The emergence of GodFather underscores the ability of threat actors to edit and update their tools to maintain their effectiveness in spite of efforts by malware detection and prevention providers to update their products," Group-IB researcher Artem Grischenko said.

"With a tool like GodFather, threat actors are limited only by their ability to create convincing web fakes for a particular application. Sometimes, the sequel really can be better than the original."


Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.