An Android banking malware named ‘Godfather’ has been targeting users in 16 countries, attempting to steal account credentials for over 400 online banking sites and cryptocurrency exchanges.
The malware generates login screens overlaid on top of the banking and crypto exchange apps’ login forms when victims attempt to log in to the site, tricking the user into entering their credentials on well-crafted HTML phishing pages.
The Godfather trojan was discovered by Group-IB analysts, who believe it is the successor of Anubis, a once widely-used banking trojan that gradually fell out of use due to its inability to bypass newer Android defenses.
ThreatFabric first discovered Godfather in March 2021, but it has undergone massive code upgrades and improvements since then.
Also, Cyble published a report yesterday highlighting a rise in the activity of Godfather, pushing an app that mimics a popular music tool in Turkey, downloaded 10 million times via Google Play.
Targeting banks worldwide
Group-IB has found a limited distribution of the malware in apps on the Google Play Store; however, the main distribution channels haven’t been discovered, so the initial infection method is largely unknown.
Almost half of all apps targeted by Godfather, 215, are banking apps, and most of them are in the United States (49), Turkey (31), Spain (30), Canada (22), France (20), Germany (19), and the UK (17).
Apart from banking apps, Godfather targets 110 cryptocurrency exchange platforms and 94 cryptocurrency wallet apps.
Interestingly, the trojan is configured to check the system language, and if it’s set to Russian, Azerbaijani, Armenian, Belarusian, Kazakh, Kyrgyz, Moldovan, Uzbek, or Tajik, it stops its operation.
This is a strong indication that the authors of Godfather are Russian speaking, possibly residing in the CIS (Commonwealth of Independent States) region.
Once installed on the device, Godfather imitates ‘Google Protect,’ a standard security tool found on all Android devices. The malware even goes to the extent of emulating a scanning action on the device.
The goal of this scan is to request access to the Accessibility Service from what appears to be a legitimate tool. Once the victim approves the request, the malware can issue itself all permissions it needs to perform malicious behavior.
This includes access to SMS texts and notifications, screen recording, contacts, making calls, writing to external storage, and reading the device status.
Moreover, the Accessibility Service is abused to prevent the user from removing the trojan, exfiltrating Google Authenticator OTPs (one-time passwords), processing commands, and stealing the contents of PIN and password fields.
Godfather exfiltrates a list of installed apps to receive matching injections (fake HTML login forms to steal credentials) from the C2 server.
“The web fakes mimic the login pages for the legitimate applications, and all data that is entered into the fake HTML pages, such as usernames and passwords, is exfiltrated to C&C servers.” – Group-IB.
The malware can also generate fake notifications from apps installed on the victim’s device to take the victim to a phishing page, so it doesn’t have to wait for the target app to open.
For apps not on the list, Godfather can employ its screen recording features to capture the credentials entered by the victim in the fields.
Additionally, the malware also accepts the following commands from the C2, which it executes with administrator privileges on the device:
- startUSSD – Execute a USSD request
- sentSMS – Send SMS from an infected device (not processed in later malware versions)
- startApp – Launch an app defined by the C2
- cahcecleaner – Clear app cache for any app determined by the C2
- BookSMS – Send SMS to all contacts. Likely used for propagation. Not implemented in the latest version.
- startforward/stopforward – Enable/disable call forwarding to a number specified by the C2
- openbrowser – Open an arbitrary web page
- startsocks5/stopsocks5 – Enable/disable a SOCKS5 proxy
- killbot – Self-delete
- startPush – Show push notifications that, when clicked, open a web page with a fake page (phishing).
Apart from the above, the trojan feature modules that enable it to perform actions such as keylogging, launching a VNC server, recording the screen, locking the screen, exfiltrating and blocking notifications, enabling silent mode, establishing a WebSocket connection, and dimming the screen.
Connection to Anubis
Anubis’ source code was leaked in 2019, so Godfather might be either a new project from the same authors or a new malware created by a new threat group.
The similarities extend to the method of receiving the C2 address, processing, and implementation of C2 commands, the web fakes module, the proxy module, and the screen capture module.
Godfather has omitted the inclusion of Anubis’ file encryption, audio recording, and GPS tracking modules, but has added a VNC module, implemented a new communication protocol and traffic encryption algorithm, and added a system to steal Google Authenticator codes.
Overall, Godfather is a feature-rich, dangerous trojan built on proven code from the Anubis malware, targeting an extensive list of apps and Android users from around the globe.
To protect yourself against this threat, only download apps from Google Play, keep your device up to date, use an AV tool, ensure that Play Protect is active, and keep the number of installed apps at the minimum possible.