Godfather Banking Trojan pretends to be a legitimate Google Play app

A type of Android malware targeting banking users around the world since March has resurfaced with sophisticated obfuscation methods disguised as a legitimate application on the Google Play Store with more than 10 million downloads, researchers have found.

Godfather is a banking Trojan best known for attacking banking users in European countries, but the latest activity shows increased sophistication in its ability to fly under the radar of widely used malware detection methods, according to researchers at Cyble Research & Intelligence Labs (CRIL). ) said in it a blog post on December 20.

Once successfully installed on a victim’s device, Godfather initiates a series of typical banking Trojan behaviors, including stealing banking and crypto exchange credentials, the researchers said. But it also steals sensitive data such as text messages, basic device details – including data from installed applications – and the phone number of the device, and it can perform some nefarious actions silently in the background.

Apart from this, it can also control the device’s screen using VNC [virtual network computing]forwarding incoming calls from the victim’s device and injecting bank URLs,” the Cyble researchers wrote.

The latest instance of Godfather that researchers discovered was encrypted using custom encryption techniques that could evade detection by common antivirus products — a new tactic by the threat actors behind the malware, the researchers said.

Aimed at businesses and consumers

Upon further investigation, the researchers discovered that the malware used an icon and name similar to the legitimate Google Play app MYT Music, which has already logged more than 10 million downloads. Indeed, threat actors often Hide malware on Google Playdespite Google’s efforts in recent years to keep bad apps off the store before users are affected.

MYT Music is written in the Turkish language, so researchers believe that the Godfather sample they discovered is targeting Android users in Turkey. However, they suspect that other versions of the malware will remain active and target banking users around the world.

While banking Trojans affect consumers more than businesses, business users do still in danger because they use their mobile devices at work and may even have business apps and data stored on their devices. For this reason, business users should be especially wary of downloading apps from the Internet or opening links received via text messages or emails delivered to a cell phone, the researchers said.

Google Play has removed the app, but those who installed it are still at risk.

How Godfather pulls victims’ strings

Once installed on an Android device, Godfather requests 23 different permissions from the device, misusing some of them to access a user’s contacts and device status, as well as information related to it user account. It can also write or delete files in external storage and disable keylock and any associated password protection, the Cyble researchers said.

Godfather can successfully transfer money from a hacked device through its ability to initiate phone calls via Unstructured Supplementary Service Data (USSD) which does not require use of the dialer’s user interface, and thus does not require the user to acknowledge the call, they said.

The malware also extracts sensitive user data from the device – including application key logs – which can be sent back to a command-and-control (C2) server, which also sends Godfather a command that forwards all of the victim’s incoming calls to a number provided by the victim. threat actor, the researchers said.

Godfather then collects credentials: it creates an overlay window in the OnAccessibilityEvent method and injects HTML phishing pages via a separate command from C2, whose server URL comes from a Telegram channel, hxxps://t[.]me/varezotukomirza, the researchers said.

Once it completes its malicious activity, Godfather receives a “killbot” command from C2 to terminate itself, she added.

Avoid being beaten by Godfather

The most common way to avoid downloading mobile app malware is to only download and install software from official app stores like Google Play or Apple, or so the conventional wisdom goes.

But as this body proves, malware can also lurk in official app stores, so “practicing basic cyber hygiene on mobile devices and online banking applications effectively prevents such malware from putting your devices at risk,” the researchers noted. in the post, including using a reputable anti-virus and internet security software package on connected devices to ensure that whatever is downloaded is free of malware.

Also, advanced anti-detection methods, such as those used by the threat actors behind Godfather, can make downloading even what appear to be legitimate apps a pain, they said. To further protect themselves, users can use strong passwords and enforce multi-factor authentication on devices where possible, making it more difficult for attackers to break into their accounts.

Android device users should also ensure that Google Play Protect is enabled on their devices for further security, the Cyble researcher added.

All mobile device users should also enable biometric security features such as fingerprints or facial recognition for unlocking the mobile device and using apps where possible, and be especially careful when enabling permissions on devices, especially if an app has not been verified by a reputable provider, they added.

Leave a Reply

Your email address will not be published. Required fields are marked *