Several cybersecurity firms have confirmed the existence of Godfather, an Android banking malware that was found targeting the victim's bank and cryptocurrency accounts.
Experts from Group-IB, ThreatFabric and Cyble recently reported on Godfather, its goals and methodologies, in which the malware attempts to steal login details by overlaying legitimate banking and cryptocurrency applications (exchanges, wallets, etc.).
The group found that The Godfather had targeted more than 400 different entities, most of them in the United States (49), Turkey (31), Spain (30), Canada (22), France (20), Germany ( 19) and the United Kingdom (17).
Multiple infection vectors
Furthermore, the malware scans the terminal it has infected and if it determines that the device language is Russian, Azerbaijani, Armenian, Belarusian, Kazakh, Kyrgyz, Moldovan, Uzbek or Tajik, it shuts down the entire operation, leading to some of the the researchers to believe that the threat actors are of Russian origin.
It is impossible to determine the exact number of infected devices, as the Play Store is not the only infection vector. In fact, the malware has had a relatively limited distribution through the Google Application Repository and the main distribution channels have not yet been discovered. What we do know from Cyble's research is that one of the malicious apps has over 10 million downloads to its credit.
But when a victim downloads the malware, they first have to give it permissions, so in some cases it mimics "Google Protect" and asks for access to the accessibility service. If the victim provides, the malware takes over SMS and notifications, starts recording screen, extracts contacts and call lists, etc.
Enabling the Accessibility Service makes malware even more difficult to remove and also allows hackers to leak Google Authentication one-time passwords.
The researchers also said that the malware has additional modules that can be added, giving it additional functionality, such as starting a VNC server, enabling silent mode, establishing a WebSocket connection, or dimming the screen.
Via: BleepingComputer (Opens in a new tab)