First discovered by ThreatFabric back in March of last year, the Godfather trojan has been significantly updated and improved since then according to a new report (opens in new tab) from the cybersecurity firm Group-IB. Likewise, the dark web and cybercrime monitoring firm Cyble has released a separate report (opens in new tab) detailing how Godfather is also being spread in Turkey through a malicious app that has been downloaded 10 million times which impersonates a popular music tool. As BleepingComputer (opens in new tab) points out, Godfather is believed to be the successor to Anubis which was another popular and widely-used banking trojan before it lost the ability to bypass newer Android defenses.
Targeting banking and crypto apps
Since it first appeared last year, Godfather has targeted users of more than 400 applications including 215 banking apps, 94 crypto wallets and 110 crypto exchange platforms. The banking apps targeted by the malware are found in various countries around the world with 49 in the U.S., 31 in Turkey, 30 in Spain, 22 in Canada, 20 in France, 19 in Germany and 17 in the UK. Surprisingly, Group-IB found a line in Godfather’s code that prevents the malware from targeting users in Russia as well as users from former Soviet Union countries which suggests its creators speak Russian. Once installed on an Android phone, the malware checks to see if the system language is Russian, Azerbaijani, Armenian, Belarusian, Kazakh, Kyrgyz, Moldovan, Uzbek, or Tajik. If it is, Godfather shuts down and doesn’t try to steal any banking or crypto accounts stored on the device.
Using fake overlays to steal your financial accounts
Once installed on a user’s Android phone through a malicious app or file, Godfather tries to achieve persistence on the device by imitating Google Protect. This legitimate program runs once you download an app from the Google Play Store. Godfather then tells a user that it is “scanning” when in reality, the malware creates a pinned “Google Project” notification and hides its icon from the list of installed apps. This makes it easier for the malware to hide in the background and harder to delete. Since Godfather’s icon is nowhere to be found, a targeted user goes about their daily business. However, the malware then uses fake overlays of popular banking and crypto apps to steal their credentials and drain their accounts. Godfather also uses a clever trick to send users to phishing pages. It does this by displaying a decoy notification that spoofs banking or crypto apps installed on their smartphone. Besides stealing credentials, Godfather can also record a user’s screen, launch keyloggers to capture their keystrokes, forward calls to bypass two-factor authentication (2FA) and send SMS messages from infected devices.
How to protect yourself from Android malware
You should also make sure that Google Play Protect is enabled on your device as it scans new apps as well as your existing apps for malware. For additional protection though, you may also want to install one of the best Android antivirus apps as well. In an email to Tom’s Guide, a Google spokesperson provided further details on how Google Play Protect helps keep you safe from harmful apps including sideloaded ones, saying: “Google Play Protect checks Android devices with Google Play Services for potentially harmful apps from other sources. Users are protected by Google Play Protect, which blocks these identified malicious apps on Android devices.” Before installing any new app, you should first ask yourself if you really need it. By limiting the number of apps installed on your Android smartphone, you can lower the chances of having your device infected with malware. Godfather is already being used in countries around the world and cybercriminals will likely continue to deploy this malware in their campaigns due to the way in which it can bypass Android security checks and the large number of banking and crypto apps it targets.
