A formidable malware attacks Android smartphones. Inspired by the infamous “Anubis”, the virus is designed to siphon off user savings. It targets over 400 banking and cryptocurrency apps.
Group-IB analysts have discovered a new active Android malware. baptized ” Godfather » (” The Godfather » in French), the malware is designed to steal ” login credentials» of certain banking and financial applications. With stolen data, hackers are obviously looking to siphon off users’ money held in accounts and apps.
After investigation, the researchers discovered a relationship between ” Godfather » and ” Anubis », a Trojan horse whose the source code was leaked in 2019. Before being defeated by Google’s security measures, the malware has wreaked havoc on Android. It has several times managed to infiltrate applications available on the Play Store. Once installed on its victims’ phones, Anubis wasted no time in sucking up all the data from the device, such as geolocation or IMEI number, and requesting access to certain features, including the camera and microphone. .
According to researchers, the hackers behind the Godfather malwarelargely based on the Anubis Code. We find many similarities in the functioning of the two viruses. Nevertheless, the software has been enriched with new weapons to circumvent Android’s latest defenses. Godfather first appeared in June 2021. After several months of activity, the malware disappeared from radar before making a comeback in September 2022, reports Group-IB.
Over 400 Android apps targeted
Since returning to the limelight, Godfather has been aiming over 400 Android apps belonging to financial institutions. The malware mainly targets banks, with 215 banking applications in its sights. The researchers claim that 20 French banks are particularly targeted by hackers. The report does not specify the names of the establishments affected.
The Trojan is also designed to rob cryptocurrency holders. According to Group-IB, Godfather is able to steal data from 94 digital wallets and 110 cryptocurrency exchanges. If you keep crypto-assets through an Android application, we recommend that you be extra careful.
The traps set by the malware
To trick Internet users, Godfather pretends to be Google PlayProtect, the security service that scans all installed apps. Disguised as a legitimate security system, the virus will then claim a plethora of permissions. Anubis also proceeded in this way to deaden the mistrust of his victims.
An animation shows Google Play Protect’s supposed ‘activity’, but the ‘scanner’ does nothing and instead Godfather roots itself to the device”explains the Group-IB report.
With these permissions, it will collect SMS, notifications, contacts, call history and data stored on internal memory. Above all, Godfather will grant himself the right to take screenshots without the knowledge of the user. This trick “Allows the stealing of user-entered data in legitimate applications”, warns Group-IB. Very complete, the malware can also deploy fake notifications to relay users to phishing sites. All of these methods allow hackers to achieve their ends and collect login credentials.
“By mimicking Google Play Protect, Godfather can easily go unnoticed on infected devices”warns the firm.
Malware lurks on the Play Store
Group-IB researchers spotted the malware on the Play Store, in the code of two seemingly innocuous Android apps. Alerted by experts, Google promptly banned the apps from its store. At the same time, the American security specialist Cyble also identified Godfather’s presence on the Play Store.
The virus was hidden in an app for Turkish Internet users, MYT Müzik. Before its deletion by Google, it accumulated over 10 million downloads. Note that hackers also deploy the virus on alternative shops or directly on the web, through advertisements.
Source :
Group-IB
We want to give thanks to the author of this write-up for this outstanding material
