Using images and verbiage from the iconic film starring Marlon Brando, the researchers reported that Android banking trojan Godfather has been using “web fakes” to attack more than 400 targets in 16 countries, including mobile banking apps, cryptocurrency wallets, and cryptocurrency exchanges.
On a December 21 blog post, Group-IB researchers explained that Godfather has been designed to allow cybercriminals to obtain login credentials for mobile banking apps and other financial services, and then empty accounts. It should be noted that the Group-IB blog does not offer an estimate of the total financial impact.
Group-IB first detected Godfather in June 2021. In March 2022, researchers at Threat Fabric first mentioned the banking trojan in public. A few months later, the Trojan was withdrawn from circulation. Group-IB researchers believe that Godfather was deprecated so that developers could update the malware. Godfather made a comeback in September, now with slightly modified WebSocket functionality. Godfather’s predecessor is Anubis, another banking Trojan. The researchers said that Godfather’s developers used the Anubis source code as a base and modernized it to newer versions of android.
Researchers say that, as of October, 215 international banks, 94 cryptocurrency wallets, and 110 cryptocurrency exchanges have fallen victim to Godfather. Financial service providers in Canada, France, Germany, the United Kingdom, the United States, Italy, Poland, Spain, and Turkey, among many others, were targeted.
Of interest to Western countries, researchers say Godfather saves users in post-Soviet countries. If the potential victim’s system preferences include one of the Eastern European languages, the Trojan is closed. This could potentially suggest that Godfather’s developers speak Russian, the researchers say.
Like most other Android-based malware, Godfather is also delivered via a fake app that uses a name and icon similar to a popular app or game, said Venky Raju, ColorTokens field CTO. Unsuspecting users download the fake app and get infected, so Raju said users should be very careful while downloading apps on their mobile devices.
“On desktop browsers, we’ve learned to watch the URL closely to make sure it’s not a fake site, and we need to exercise the same caution on mobile app stores,” Raju said. “This is more of an issue on Android devices, as Google Play doesn’t exercise strict controls over developer submissions. Although Google removes malicious apps as soon as they notice, many unsuspecting users are affected.”
Dangerous malware has made its way to mobile phones, and many app developers and publishers still believe that the Google and Apple app stores are protected from malware infection, said Will LaSala, field CTO at OneSpan. LaSala said that with this new Godfather Trojan, it’s important to understand that malware evolves as fast as the big app stores can remove it, so app developers and publishers need to ensure their apps are protected with App Guard, plus beyond what these stores can offer.
“Today’s Trojans target specific types of attacks, which can be stopped by applying application protection to an application before they can do any damage,” LaSala said. “App shielding is a process of hardening the app before it is published on the app store. It will protect from screen readers, library injection, and even app store repackaging, which is the number of trojans being deployed right now. Trust in the providers of the large app stores must be evaluated and additional technology must be applied to protect users.”