German Authorities Warn, Malware “Godfather” Targets Cryptocurrency Wallets, Etc.
Attack 400 financial apps
Germany's Federal Financial Supervisory Authority (BaFin) announced on the 9th that a Trojan horse malware called “GodFather” attacked about 400 banks, including German businesses, and applications such as cryptocurrency (virtual currency) wallets. It has issued a warning to consumers.
BaFin explained that devices infected with this malware display fake sites for banking/cryptocurrency apps, and when users log in from the fake sites, their login data is sent to cybercriminals.
In addition, it is also known that this malware sends push notifications to fraudulently acquire a “two-factor authentication code” for security measures.
BaFin said it was unclear how the malware got onto users' devices, but that criminals could use stolen data to gain access to users' accounts and wallets.
Cybersecurity firm Group-IB published a blog post on December 21 last year detailing The Godfather.
In a new blog post, Group-IB's Threat Intelligence team describes in detail who #Godfather attacks, how it does it, and what this #banking #Trojan inherited from its predecessor. Read now https://t.co/VY4FZl4BLE pic.twitter.com/ZiHjtStnoT
— Group-IB Global (@GroupIB_GIB) December 21, 2022
Group-IB first detected the “mobile banking Trojan” The Godfather in June 2021. After researchers at fraud risk management firm Threat Fabric first publicly mentioned The Godfather in March 2022, the malware stopped circulating in June of the same year.
However, as expected by Group-IB, a version with upgraded functionality appeared in September and is now being used to target global financial services users, and as of October 2022, 215 international banks , 94 cryptocurrency wallets and 110 cryptocurrency exchanges were affected.
Companies targeted include the United States (49), Turkey (31), Spain (30), Canada (22), France (20), Germany (19), and the United Kingdom (17).
The Godfather, meanwhile, is programmed to shut down if its system preferences contain languages from the former Soviet Union (Russian, Azerbaijani, Kazakh, etc.). It suggested that the developer of this malware may be Russian-speaking.
Malware for android devices
According to Group-IB, Godfather is based on the source code of another banking “Trojan” malware called Anubis and upgraded for the new version of Android.
One of the features found in Android banking Trojans is the use of spoofed websites that display pages created by cybercriminals on top of legitimate apps, which is also included in The Godfather. On infected devices, the fake site is overlaid on the legitimate page when the user clicks on the decoy notification or opens the legitimate app.
When Godfather is launched, it mimics the behavior of the standard security tool “Google Protect” that is installed in all Android devices. The tool will show as “active”. Pressing the “Scan” button also requests access to Android's accessibility features settings, and the scan feature will not launch unless you allow it.
It doesn't actually scan, but displays a scanning animation for 30 seconds and a message saying it didn't find any rogue apps. However, with permission to access accessibility features, the Godfather issues the necessary permissions and initiates communication with a command and control (C&C) server.
By mimicking Google Protect in this way, The Godfather seems to be able to avoid being easily detected on infected devices.
After that, when the user launches a banking application and logs in to a financial service, all the information entered on the fake page, including the username and password, will be leaked to the C&C server.
Godfather features and distribution methods
According to Group-IB, Godfather functions include:
- Terminal screen recording function
- Establishing a VNC (remote desktop software) connection
- launch keylogger
- Exfiltration of push notifications (bypassing two-factor authentication)
- Forwarding calls (bypassing two-factor authentication)
- Sending SMS messages from your device
- Starting a proxy server
- Establishing a WebSocket connection
Group-IB noted that one of Godfather's distribution methods was a malicious decoy app hosted on Google Play. A Google spokesperson later issued a statement that users were protected because Google Play Protect blocks identified malicious apps, and that the malicious apps identified in the report are not available on Google Play. Confirmed it doesn't exist.