A Android mobile banking malware named “Godfather”, targets and steals banking and cryptocurrency exchange credentials of Android users in 16 countries, reports the Bleeping Computer
The malware, which also targeted 400 international financial firms, works by creating fake login screens that appear over the legitimate login forms of banking and cryptocurrency exchange apps. According to malware analysts, Group-IB, all data entered into the fake login details, such as usernames and passwords, is collected.
Η Group-IB first spotted the Godfather the June of 2021 and describes it as a successor to an old banking Trojan called Anubis, which is no longer used due to Android updates and "providers' efforts to detect and prevent malware».
In June 2022, the Godfather it was discontinued before a modified and more effective version reappeared in September. As of October, 215 international banks, 94 cryptocurrency wallets, and 110 cryptocurrency exchange platforms have been targeted by the Godfather. Analysts report that the majority of targeted companies are in the USA (49), in Turkey (31)In Spain (30), In Canada (22), or visit its Germany (20), or visit its France (19) and United Kingdom (17).
In a post, Group-IB claims that if the language preference of a system targeted by the malware includes a language in post-Soviet Union countries, the Trojan shuts down, which "suggests" that its developers are Russian-speaking.
Researchers warn against the GodFather # Android banking trojan that's targeting users of over 400 banking and # cryptocurrency apps in 16 countries.
Read: https://t.co/o65wo70vtB#infosec #cybersecurity #mobilesecurity #malware
- The Hacker News (@TheHackersNews) December 21, 2022
Once installed on a device, Godfather emulates the Google Play Protect, a default security tool found on Android devices that can even pre-schedule a scan process. This is done in an attempt to request access to the Accessibility Service, which, if authorized by the victim, allows the Godfather access to SMS and notifications, the screen recording function, contacts, making calls, recording to external storage and recognizing the status of the device.
By exploiting the Android Accessibility Service, the malware can: extract passwords, including Google Authenticator codes, and create fake notifications from installed apps on the victim's device to take them to a phishing page. The Good father it can also use its screen recording app access to record usernames and passwords entered into any app or website by the victim, Bleeping Computer reports.
Malware can also lock and dim the screen, extract and block notifications, and enable silent mode on a device.
EA Google spokesperson said in PCMag:
Do not forget to follow it Xiaomi-miui.gr on Google News to be informed immediately about all our new articles! You can also if you use RSS reader, add our page to your list by simply following this link >> https://news.xiaomi-miui.gr/feed/gn
Follow us on Telegram so that you are the first to learn our every news!