Skip to content
Android banking Trojan Godfather rears ugly head

Android banking Trojan Godfather rears ugly head

Researchers at Cyble Research & Intelligence Labs (CRIL) have found a new version of the Android banking Trojan called Godfather.

Android banking Trojan Godfather rears ugly head

The new version of Godfather uses an icon and name similar to a legitimate application named MYT Music, which is hosted on the Google Play Store with over 10 million downloads.

Group-IB researchers established that Godfather is a successor of Anubis. Anubis was a widely used Android banking Trojan that lost popularity after its functionality got limited by Android updates and security vendors’ detection and prevention efforts.

Godfather’s success is mostly due to its ability to create convincing lay-over screens for over 400 applications.

This use of lay-over screens or web fakes, are basically HTML pages created by threat actors that display over legitimate applications. This allows the threat actors to harvest login credentials for banking applications and other financial services.

The target apps include banking applications, cryptocurrency wallets, and crypto exchanges.

The most popular target apps for the banking Trojan are in the United States (49 companies), Turkey (31), Spain (30), Canada (22), France (20), Germany (19), and the United Kingdom (17).

The Trojan checks the system language of the infected device and shuts down if it is one of these: Russian, Azerbaijani, Armenian, Belarusian, Kazakh, Kyrgyz, Moldovan, Uzbek, or Tajik.

Several of the new Godfather samples were found masquerading as the MYT Müzik application which is written in the Turkish language. After installing it uses an icon and the name that are very similar to a legitimate application named MYT Music. MYT Music is a popular app with over 10 million installs.

To get the necessary permissions, the Trojan poses as Google Protect, which is a standard security tool found on all Android devices.

It pretends to initiate a scan and asks the user for access to the Accessibility Service. Which makes sense to the user given that they think the app will scan the device.

With access to the Accessibility Service, the Trojan can grant itself all the permissions it needs to steal information from the affected device.

Once fully active, Godfather steals sensitive data such as SMS messages, basic device details including installed apps data, and the device’s phone number.

It can also control the device screen, forward incoming calls of the victim’s device, and inject banking URLs.

The Trojan is capable of initiating money transfers by making USSD (Unstructured Supplementary Service Data) calls without using the dialler user interface

It sends the harvested data to the attacker. Who, in turn, now know which apps are installed and can inject HTML phishing pages that are most effective if the victim has the imitated app installed.

The Command & Control (C2) server’s URL is fetched from a Telegram channel.


The post Android banking Trojan Godfather rears ugly head appeared first on Payments Cards & Mobile.

Cart 0

Your cart is currently empty.

Start Shopping