German Financial Regulator Warns Against ‘GodFather’, A Malware Targeting Crypto and Banking Apps

German Financial Regulator Warns Against ‘GodFather

BaFin has warned mobile users of a new malware that is targeting android devices. GodFather is a trojan that enters via malicious apps and takes control over the victim’s device, accessing banking and crypto apps and Google Authenticator codes.

On Monday, Germany’s Federal Financial Supervisory Authority (BaFin) released an official statement warning users of banking and crypto applications against a dangerous malware dubbed ‘Godfather’. The financial regulator says the trojan is expected to attack more than 400 banking and crypto exchange apps in 16 countries.

BaFin is yet to determine how GodFather enters into the victim’s mobile devices. However, what is known about the malware is that it displays fake websites posing as credible services, and when consumers log in via these channels, their credentials and on-phone data is stolen by cyber criminals. 

Information about GodFather surfaced lately in December 2022, when it was reported that the malware was specifically targeting users with Android devices. The trojan which was first discovered by analysts at cybersecurity firm, Group IB, believe it to be a successor of Anubis – a once widely used banking trojan that died after being unable to bypass newer Android defences. Since its first sighting in March 2021, GodFather has undergone massive code upgrades which have improved its lethality. 

Once the malware is installed on users’ device, it imitates ‘Google Protect’ – a security tool found on all Android devices – and performs a scanning action on the phone. After the scan, GodFather requests access to the device’s Accessibility Service. If the request is approved, the trojan grants itself permission to access the victim’s SMS, contacts, notifications, and also perform actions such as screen recording, make calls and write to external storage on the device. 

Furthermore, GodFather will abuse the Accessibility Service to prevent victims from removing the trojan from their devices. It can obtain one-time passwords from Google Authenticator – which is used as a two-factor security measure for banking and crypto apps, steal inputs from PIN and password fields and process various other commands on the phone. The malware can generate fake notifications from apps installed on the device to trick the user into opening a phishing page instead of the original app, in order to steal login information. Most of these app notifications will be related to banking and crypto exchange services. According to reports, GodFather is currently targeting over 200 banking apps, 100 cryptocurrency exchanges and 94 crypto wallet apps. 

GodFather can cross-check apps installed on a victim’s device with its database to generate fake login forms. If the malware finds a banking or crypto app that is not on its list, it can automatically screen record to capture login credentials entered by the user on the original app. Apart from these features, the Android trojan can run commands to send SMS from the infected device, launch apps, clear app cache, enable or disable call forwarding, open websites, and execute a USSD request without permission. Other modules of GodFather allow it to capture keystrokes on the device, launch a malwaredim and lock the screen, enable silent mode, exfiltrate and block notifications, and establish a WebSocket connection. 

Cybersecurity firms observed that GodFather enters a victim’s device through malicious apps listed on the Google Play Store. One such application has been found out to be MYT Muzik, which is posing as MYT Music and even uses the same icon as the original app. However, there could be other fake apps acting as legitimate ones on the marketplace via which the malware is installed on user devices. GodFather only uninstalls itself after making sure it has collected all available data from a victim’s mobile phone. 

Although GodFather is a new project that is said to be derived from Anubis, it has omitted several modules of the older trojan, like file encryption, audio recording and GPS tracking. Instead, the new malware has added a VNC (Virtual Network Computing) module, a new communication protocol, traffic encryption algorithm, and a system to gain access to codes on Google Authenticator. 

To remove the malware, security experts are recommending users to scan their Android devices with legitimate anti-malware softwares like Avast, Bitdefender, ESET or Malwarebytes. 

Also Read: Wyre Customers Can Only Withdraw 90% Of Funds In Their Accounts

Backer B
Written by

Backer B

Blockchain Expert

Fascinated by Blockchain technology and its evolution, Backer. B studies the space up close. Get on board for accurate data and analysis on Crypto, Web3, Metaverse and everything on-chain.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *