Godfather is back. The Android Trojan attacks clients of banks, cryptocurrency exchanges, and e-wallets. It is distributed through the official Google Play Store under the guise of legal crypto applications. Interestingly, the Trojan bypasses users from Russia and the CIS.
The geography of victims of the Godfather Trojan covers 16 countries of the world, and the list of targets includes 400 banks, cryptocurrency exchanges, and e-wallets, according to a Group-IB study.
Threat Intelligence experts found out that Godfather was distributed through the official Google Play store under the guise of legal crypto applications.
Users of 215 international banks, 94 crypto wallets and 110 crypto projects have already become victims of the Trojan.,
Customers from the United States, Turkey, Spain, Canada, France, and the United Kingdom are most actively hacked.
At the same time, Godfather bypasses users from Russia and the CIS. If the system settings contain one of the languages of these countries, the Trojan will stop working. Presumably, the developers of Godfather are Russian-speaking attackers.
For the first time, Godfather — a mobile banking Trojan that steals the credentials of customers of banks and crypto exchanges — was noticed in June 2021.
In March 2022, researchers from Threat Fabric were the first to mention this banker publicly, and in the summer the Trojan's activity suddenly stopped — its operators lay low. However, in September 2022, Godfather returned with a modified functionality.
As Group-IB Threat Intelligence analysts found out, Godfather is based on one of the versions of the well-known banking Trojan Anubis. With the release of new versions of Android, many of the features of Anubis stopped functioning, but they did not write it off.
The source code of Anubis was taken as a basis by the developers of Godfather, it was upgraded for newer versions of Android, and also strengthened the mechanisms for countering detection by anti-fraud tools.
Godfather also inherited the distribution method from Anubis.
The Godfather downloader was located in the official Google Play store under the guise of a cryptocalculator. After launching, the app asked the user to check the security of the smartphone-the standard Google Protect app was allegedly launched. However, after a 30-second animation, a message appeared that no malicious apps were found.
At the same time, Godfather installed itself in autostart, hid the icon from the list of installed applications, and most importantly, gained access to Accessibility Services (this is a set of Android features for users with limited capabilities).
Thanks to this, Godfather could record the screen of an infected device, launch a keylogger, send SMS messages, execute USSD requests, and so on.
As soon as a user launched a mobile or web application of a bank, crypto exchange, or e-wallet, Godfather “slipped " them web pages superimposed on top of legitimate applications. All data entered on these pages, including usernames and passwords, was sent to attackers.
One of the features of Godfather is that its command server is located in the Telegram channel description (the technique of getting the C2 address from the Telegram channel was previously used in some versions of Anubis).
"Despite the fact that the security of mobile applications and operating systems themselves is rapidly developing, it is too early to write off Android Banking Trojans," says Artem Grishchenko from Group-IB. — We continue to see their high activity and widespread use of Trojan modifications, the source code of which was published in the public domain, the most striking example is the Godfather banker."
According to Grishchenko, this Trojan causes damage not only to users, but also to the entire financial sector. And cybercriminals are now limited only by their imagination and ability to create convincing web-based fakes of specific financial applications.
• Source: https://blog.group-ib.ru/godfather
+++++
Android Trojan Godfather has spawned almost 1,200 doppelgangers in 57 countries
Operators of MaaS services (Malware-as-a-Service, malware as a service) are actively multiplying the number of Trojan samples for Android in order to increase the percentage of infections. In 2023, 1171 Godfather bunker clones were registered in Zimperium, and this is not the limit.
Samples do not differ much from each other and, most likely, are generated by automated means (using scripts or AI assistants). However, even minor changes can mislead the antivirus, which, according to analysts, is installed only in a quarter of mobile device users.
Godfather, which appeared a couple of years ago, is able to record the screen, register keystrokes, intercept calls and SMS of the second stage of authentication, and initiate bank transfers. At the end of last year, the list of its targets included 237 banking applications used in 57 countries, and the information stolen by the Trojan was displayed by MAAS service affiliates in nine countries-mainly European and in the United States.
In an interview with Dark Reading, Zimperium's head of research, Nico Chiaraviglio, said that in 2022 they were not able to collect even a dozen Godfather samples. When MaaS service operators started using polymorphism to help customers improve the effectiveness of attacks, the number of such finds increased a hundredfold.
Their example was followed by the creators of other well-known bankers for Android, but on a smaller scale. As a result, the number of Nexus samples in the expert collection has increased to 498, Saderat-to 300, PixPirate - to 123. Chiaraviglio also tracks another prolific family, while unnamed; its number has already exceeded 100 thousand.
A typical antivirus scanner, according to the expert, is not able to cope with so many malicious relatives with unique signatures. Here you need adaptive solutions that work according to the rules of correlation, or behavioral analysis-preferably with the involvement of AI.
The geography of victims of the Godfather Trojan covers 16 countries of the world, and the list of targets includes 400 banks, cryptocurrency exchanges, and e-wallets, according to a Group-IB study.
Threat Intelligence experts found out that Godfather was distributed through the official Google Play store under the guise of legal crypto applications.
Users of 215 international banks, 94 crypto wallets and 110 crypto projects have already become victims of the Trojan.,
Customers from the United States, Turkey, Spain, Canada, France, and the United Kingdom are most actively hacked.
At the same time, Godfather bypasses users from Russia and the CIS. If the system settings contain one of the languages of these countries, the Trojan will stop working. Presumably, the developers of Godfather are Russian-speaking attackers.
| The system locale is checked if the locale has one of the following values::* RU (Russia) AZ (Azeybarjan) AM (Armenia) BY (Беларусь) KZ (Kazakhstan) KG (Киргизстан) MD (Moldova) UZ (Uzbekistan) TJ (Tajikistan) The malware will complete its work. The device context is also checked to determine whether the Trojan is running in the emulator context, and if so, Godfather will terminate its work. |
For the first time, Godfather — a mobile banking Trojan that steals the credentials of customers of banks and crypto exchanges — was noticed in June 2021.
In March 2022, researchers from Threat Fabric were the first to mention this banker publicly, and in the summer the Trojan's activity suddenly stopped — its operators lay low. However, in September 2022, Godfather returned with a modified functionality.
As Group-IB Threat Intelligence analysts found out, Godfather is based on one of the versions of the well-known banking Trojan Anubis. With the release of new versions of Android, many of the features of Anubis stopped functioning, but they did not write it off.
The source code of Anubis was taken as a basis by the developers of Godfather, it was upgraded for newer versions of Android, and also strengthened the mechanisms for countering detection by anti-fraud tools.
Godfather also inherited the distribution method from Anubis.
The Godfather downloader was located in the official Google Play store under the guise of a cryptocalculator. After launching, the app asked the user to check the security of the smartphone-the standard Google Protect app was allegedly launched. However, after a 30-second animation, a message appeared that no malicious apps were found.
At the same time, Godfather installed itself in autostart, hid the icon from the list of installed applications, and most importantly, gained access to Accessibility Services (this is a set of Android features for users with limited capabilities).
Thanks to this, Godfather could record the screen of an infected device, launch a keylogger, send SMS messages, execute USSD requests, and so on.
As soon as a user launched a mobile or web application of a bank, crypto exchange, or e-wallet, Godfather “slipped " them web pages superimposed on top of legitimate applications. All data entered on these pages, including usernames and passwords, was sent to attackers.
One of the features of Godfather is that its command server is located in the Telegram channel description (the technique of getting the C2 address from the Telegram channel was previously used in some versions of Anubis).
"Despite the fact that the security of mobile applications and operating systems themselves is rapidly developing, it is too early to write off Android Banking Trojans," says Artem Grishchenko from Group-IB. — We continue to see their high activity and widespread use of Trojan modifications, the source code of which was published in the public domain, the most striking example is the Godfather banker."
According to Grishchenko, this Trojan causes damage not only to users, but also to the entire financial sector. And cybercriminals are now limited only by their imagination and ability to create convincing web-based fakes of specific financial applications.
• Source: https://blog.group-ib.ru/godfather
+++++
Android Trojan Godfather has spawned almost 1,200 doppelgangers in 57 countries
Operators of MaaS services (Malware-as-a-Service, malware as a service) are actively multiplying the number of Trojan samples for Android in order to increase the percentage of infections. In 2023, 1171 Godfather bunker clones were registered in Zimperium, and this is not the limit.
Samples do not differ much from each other and, most likely, are generated by automated means (using scripts or AI assistants). However, even minor changes can mislead the antivirus, which, according to analysts, is installed only in a quarter of mobile device users.
Godfather, which appeared a couple of years ago, is able to record the screen, register keystrokes, intercept calls and SMS of the second stage of authentication, and initiate bank transfers. At the end of last year, the list of its targets included 237 banking applications used in 57 countries, and the information stolen by the Trojan was displayed by MAAS service affiliates in nine countries-mainly European and in the United States.
In an interview with Dark Reading, Zimperium's head of research, Nico Chiaraviglio, said that in 2022 they were not able to collect even a dozen Godfather samples. When MaaS service operators started using polymorphism to help customers improve the effectiveness of attacks, the number of such finds increased a hundredfold.
Their example was followed by the creators of other well-known bankers for Android, but on a smaller scale. As a result, the number of Nexus samples in the expert collection has increased to 498, Saderat-to 300, PixPirate - to 123. Chiaraviglio also tracks another prolific family, while unnamed; its number has already exceeded 100 thousand.
A typical antivirus scanner, according to the expert, is not able to cope with so many malicious relatives with unique signatures. Here you need adaptive solutions that work according to the rules of correlation, or behavioral analysis-preferably with the involvement of AI.
