A new banking malware for Android has been going after bank websites and cryptocurrency exchanges. in this post we discussed about Godfather Malware Targets Banks.
What’s their technique? Well, malware will make fake login screens on top of banking or cryptocurrency exchange apps, where people who don’t know what’s going on will try to log in, giving the hackers their login information.
The malware seems to be a reference to the classic mafia movie Godfather Trilogy. It is trying to steal accounts from over 400 online banking sites and cryptocurrency exchanges from users in 16 countries.
RELATED:
- 300,000 Android Smartphones Have Facebook Account-Stealing Malware
- Millions of Android Users Are Bill Secretly by Android Malware
- Android Users Warned Against “Toll Fraud” Malware
- Guide to Changing Disney Plus Language
When the trojan is on a device, it can look like Google Protect. It goes even further by simulating a scanning motion. This scan tries to get the user to give access to Accessibility Service requests because it seems to be authentic. Once the user agrees to the request, it can grant itself all the permissions it needs to do the wrong things, such as accessing text messages for one-time passwords, recording the screen, and more.
Analysts from Group-IB found the trojan. They thought Godfather was a new version of Annubis, a famous banking trojan in the past.
ThreatFabric first found the Godfather in March 2021, but the code has been update and improved.
| Permissions | Description |
|---|---|
| Read_SMS | Access SMSs from the victim’s device. |
| RECEIVE_SMS | Intercept SMSs received on the victim’s device |
| READ_CONTACTS | Access phone contacts |
| READ_PHONE_STATE | Allows access to phone state, including the current cellular network information, the phone number and the serial number of the phone, the status of any ongoing calls, and a list of any Phone Accounts registered on the device. |
| RECORD_AUDIO | Allows the app to record audio with the microphone, which attackers can potentially misuse. |
| SEND_SMS | Allows an application to send SMS messages. |
| CALL_PHONE | Allows an application to initiate a phone call without going through the dialer user interface for the user to confirm the call. |
| WRITE_EXTERNAL_STORAGE | Allows the app to write or delete files in the device’s external storage |
| WRITE_SMS | Allows the app to modify or delete SMSs |
| DISABLE_KEYGUARD | Allows the app to disable the keylock and any associated password security |
| BIND_ACCESSIBILITY_SERVICE | Used for Accessibility Service |
A new report from Cyble also pointed out that the Godfather has been doing more things lately. It tries to get people to download an app that pretends to be a popular music tool in Turkey and has already been download 10 million times from the Google Play Store.
People say that the Godfather tries to hack banking apps from the following:
- US
- Spain
- Turkey
- Canada
- France
- Germany
- the UK.
Godfather was made so that it could figure out the system language of the device. It is fascinating that it stops working whenever the language is set to Russian, Azerbaijani, Armenian, Belarusian, Kazakh, Kyrgyz, Moldovan, Uzbek, or Tajik. Â
This could mean that Russian-speaking hackers are behind it.
Ensure you only download apps from the Google Play Store, use the correct version of Google Protect, and use an anti-virus tool to stay safe from this threat.
