Posted on December 22, 2022 at 8:54 AM
GodFather, an Android banking trojan, has targeted banking and cryptocurrency apps on Android devices. The trojan has been deployed in malicious campaigns targeting more than 400 apps and users based in 16 countries.
GodFather banking trojan targets over 400 banking and crypto apps
Out of the 400 banking and crypto apps targeted during this campaign, 215 were banking apps, 94 were crypto wallet providers, and 110 were apps offering crypto exchange services. The apps served users in Canada, Italy, Spain, Turkey, and the United States.
Group-IB, a cybersecurity company headquartered in Singapore, shared a report about this campaign that said that the malware seemed to have similar features with another banking trojan known as Anubis.
The Android ecosystem has been the target of many financial trojans. Most of these trojans infiltrate devices to steal user credentials by generating overlay screens known as web fakes. These screens appear atop the target application, disrupting the user’s activity and accessing information.
Group IB first discovered this malware in June 2021. The malware was later disclosed publicly by ThreatFabric in March this year. The GodFather malware comes with a wide range of native backdoor features allowing it to exploit Android Accessibility APIs.
Some of this malware’s functions include recording videos, logging keystrokes, capturing screenshots, and collecting SMS and call logs. By gaining access to these functions, the malware effectively accesses unauthorized user information and erodes privacy.
The Group-IB analysis noted that this malware seemed to originate from the Anubis banking trojan. The source code for the Anubis banking trojans was leaked in January 2019 in a hacker forum. The malware is also believed to be distributed to other threat actors using the malware-as-a-service model.
There are multiple similarities between this malware and Anubis. The similarities lie in the method used to receive command-and-control (C2) addresses. Other factors to consider include implementing C2 commands, the web fake, proxy, and screen capture models. However, the platform has removed the recording and location tracking features.
The researchers further said that the banking trojan does not target users who are based in post-Soviet countries. If the system preference of the victim picks one of the languages communicated in the region, the banking trojan will stop functioning. This behavior could indicate the threat actors behind the trojan and Russian speakers.
One of the unique features of this banking trojan is that it retrieves its command-and-control server address. It retrieves this address by decrypting the descriptions of a Telegram channel that the threat actor controls. These descriptions are encoded via the blowfish cipher.
Distribution mode yet to be discovered
The researchers have yet to identify the mode of operation used by the threat actors to infect user devices. However, a deeper look into the infrastructure of the hacker’s command-and-control services shows that one of the distribution vectors that might have been used is trojanized dropper apps.
This discovery follows a C2 address linked to another app known as Currency Converter Plus. The app was listed on the Google Play Store on June 2022. However, the application has since been taken down and is no longer available for download.
The Group-IB researchers also analyzed another artifact impersonating the legitimate Google Play Protect service. When this feature is launched, it creates another notification while hiding the icon from the list of installed applications.
These findings also follow another discovery by Cyble, which analyzed some GodFather samples. The trojan hid within the MYT Múzik app, and it was used to target users based in Turkey.
Anubis has been used as a focal point for creating Android malware. In July this year, a report by ThreatFabric revealed that another version of Anubis, known as Falcon, targeted users based in Russia after impersonating VTB Bank, a state-owned bank in Russia.
One of the Group-IB researchers, Artem Grischenko, noted that “the emergence of GodFather underscores the ability of threat actors to edit and update their tools to maintain their effectiveness in spite of efforts by malware detection and prevention providers to update their products.”
Grischenko further noted that having a trojan such as GodFather, the threat actors were limited by their ability to create web fakes for a given application. In some cases, the fake app can be better than the original, which lures more users into using these applications.