Godfather banking trojan expands its list of targeted applications to affect more victims in Europe. A month ago, this threat targeted the users of 400 banking and cryptocurrency apps in 16 countries, including those in Europe.
What has been found
Recently EclecticIQ Threat Research Team spotted samples of Godfather imitating Google Protect apps and fooling users into believing they are protected by an Android service. The affected organizations are in Canada, the U.S., France, Germany, Spain, Turkey, and the U.K.
- If the trojan detects that the language packages of the device are common to the Commonwealth of Independent States (CIS), it exits. (The feature hints the trojan is possibly developed by a Russian hacker.)
- The trojan is commonly installed via malicious application packages uploaded to the app store.
- The latest samples of the Godfather banking trojan were uploaded to VirusTotal as a Google Protect lure.
How it works
- After successful infection, Godfather obtains the permissions for Accessibility Service and collects the default user agent, country code of the network operator, Bot ID, list of installed apps, Android version, device model, and others.
- It establishes VNC connections for recording the screen, uses a keylogger to collect keystrokes on every Android app, exfiltrates push notifications, and forwards phone calls to bypass 2FA.
- Godfather performs money transfers by making USSD calls without using a GUI. Further, it sends SMSes from devices and launches proxy servers for C2 connections.
Conclusion
Godfather trojan is a prime example of an evolving banking trojan targeting Android users across the globe. Experts recommend downloading apps only via verified sources. Users should be mindful of allowing any permissions on an app, and make sure Play Protect is enabled on Android devices.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/da59_shutterstock_1102825994.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/8f28_shutterstock_129753254.jpeg)
