A number of cybersecurity corporations have confirmed the existence of Godfather, an Android banking malware that has been discovered focusing on sufferer’s financial institution and cryptocurrency accounts.
Consultants at Group-IB, ThreatFabric, and Cyble have all just lately reported on Godfather, its targets, and methodologies, which sees the malware try and steal login information by overlaying reliable banking and cryptocurrency apps (exchanges, wallets, and related).
The group discovered that Godfather has focused greater than 400 completely different entities, with most of them being within the US (49), Turkey (31), Spain (30), Canada (22), France (20), Germany (19), and the UK (17).
A number of an infection vectors
What’s extra, the malware analyzes the endpoint it contaminated, and if it determines that the gadget language is both Russian, Azerbaijani, Armenian, Belarusian, Kazakh, Kyrgyz, Moldovan, Uzbek, or Tajik, it shuts the entire operation down – main a number of the researchers to imagine that the menace actors are of Russian origin.
The precise variety of contaminated gadgets is not possible to find out, as Play Retailer will not be the one an infection vector. In reality, the malware has had a comparatively restricted distribution by means of Google’s app repository, and the primary distribution channels are but to be found. What we do know, courtesy of Cyble’s analysis, is that one of many malicious apps has greater than 10 million downloads below its belt.
However when a sufferer downloads the malware, they first want to offer it permissions, which is why in some situations, it imitates “Google Shield” and calls for entry to the Accessibility Service. If the sufferer supplies, the malware takes over SMS texts and notifications, begins recording the display screen, exfiltrates contacts and name lists, and extra.
By turning on Accessibility Service, the malware will get even tougher to eradicate, too, and permits menace actors to exfiltrate Google Authentication one-time passwords, as nicely.
The researchers additionally mentioned that the malware has further modules that may be added, giving it further options corresponding to to launch a VNC server, allow silent mode, set up a WebSocket connection, or dim the display screen.
Through: BleepingComputer (opens in new tab)