Group-IB, which claims to be one of the global cybersecurity leaders, has presented its findings about Godfather, an Android banking Trojan that is currently being utilized by cybercriminals “to attack users of leading banking and crypto exchange applications in 16 countries.”
To date, Godfather has “targeted the users of more than 400 applications thanks to its ability to generate convincing web fakes and overlay them on the screens of infected devices when a user tries to open a targeted application.”
With this scheme, the threat actors leveraging Godfather attempt “to steal victims’ login credentials and bypass two-factor authentication in order to gain access to victims’ accounts and drain their funds.”
During their research into this new Android Trojan, Group-IB’s Threat Intelligence team discovered that Godfather is “a successor of Anubis, a widely-used banking Trojan whose functionalities were limited by Android updates and the prior efforts of malware detection and prevention providers.”
As of October 2022, 215 banks, 94 crypto wallet providers, and 110 crypto exchange platforms have been “targeted by Godfather.”
The Trojan has also been “used in a range of markets, as users in more than a dozen countries have been at risk of having their credentials stolen by threat actors leveraging Godfather.”
According to Group-IB’s findings, banking applications in the United States (49 companies), Turkey (31), Spain (30), Canada (22), France (20), Germany (19), and the United Kingdom (17), “have been the most targeted by this particular Trojan.”
Interestingly, Group-IB found in Godfather’s code “a functionality that stops the Trojan from attacking users who speak Russian or one of a number of languages used in the former Soviet Union, which could suggest that the developers of Godfather are Russian speaking.”
The Trojan does this by “checking the system language of the infected device and shutting down if the language is one of: Russian, Azerbaijani, Armenian, Belarusian, Kazakh, Kyrgyz, Moldovan, Uzbek, or Tajik.”
To start analyzing Godfather, one must start “with Anubis.” Godfather is “an upgraded version of the Anubis banking Trojan, whose source code was leaked back in 2019.”
Anubis’ functionalities were “clipped by Android updates, meaning that malware developers looked for ways to update the Trojan to allow it to continue attacking unsuspecting users.”
Group-IB found “that both Anubis and Godfather have the same code base, but the latter’s control & command communication protocol and capabilities were updated.”
Godfather’s developers also “modified Anubis’ traffic encryption algorithm, updated several functionalities such as Google Authenticator OTPs, and added a separate module for managing virtual network computing connections.”
Additionally, several functionalities “found in Anubis, such as the ability of the Trojan to encrypt files, record audio, or parse GPS data, have been removed.”
Analysts at Group-IB first “detected Godfather in June 2021. Godfather stopped being circulated in June 2022, which Group-IB analysts believe was due to the malware being updated further.”
Godfather would eventually “reappear in September 2022, now with slightly modified WebSocket functionality.” A distinctive feature of the Trojan is that it “can be distributed via a Malware-as-a-Service (MaaS) model, with this being discovered thanks to the real-time Telegram monitoring capabilities of Group-IB’s Threat Intelligence solution.”
Additionally, Group-IB researchers found “that C&C addresses for Godfather were shared through Telegram channel descriptions, as was the case with Anubis.”
As of writing, there is still “a lack of clarity on how exactly Godfather infects devices.”
However, Group-IB Threat Intelligence researchers discovered, “through an analysis of the Trojan’s network infrastructure, a domain whose C&C address was that of an Android application.”
While Group-IB was unable to obtain the payload, analysts believe “that a malicious application hosted on the Google Play Store contained the Godfather Trojan.”
Once Godfather is downloaded onto a device, the Trojan attempts “to achieve persistence by imitating Google Protect, a legitimate program that runs once an individual downloads an application from the Play Store.”
The malware is able “to emulate the legitimate Google application and indicates to the user that it is ‘scanning’.”
However, the malware is “doing nothing of the sort.” Instead, it creates a pinned “Google Protect” notification and “hides its icon from the list of installed applications.”
The malware, as “Google Protect”, also launches a service “to request access to AccessibilityService, an Android feature used by developers to adapt their applications to users with disabilities.”
Access to AccessibilityService is also “requested once the user presses the “Scan” button in the fake Google Protect application.” With access to AccessibilityService, Godfather “issues itself the necessary permissions and starts communicating with the C&C server.”
The user, who has no idea that their device is now infected with malware, “goes about their daily business”.
At this point, Godfather “kicks into action.”
A signature feature of Godfather, “as with many other banking Trojans, is the use of web fakes, also known as HTML pages created by threat actors that display over legitimate applications.”
The user may interact “with these web fakes at two stages: either when they open a legitimate application that is targeted by Godfather, or when they interact with a decoy notification spoofing a targeted banking or crypto application on the user’s device.”
The web fakes “mimic the login pages for the legitimate applications, and all data that is entered into the fake HTML pages, such as usernames and passwords, is exfiltrated to C&C servers.”
The threat actors “harvest these credentials and then use them to enter the legitimate applications, with the help of Godfather’s functionality to exfiltrate push notifications to harvest two-factor authentication codes, and drain the user’s accounts.”
While Group-IB does “not have definitive data on the amount of money stolen by operators of Godfather, the methods harnessed by malicious actors are cause for concern.”
For more details, check here.