Godfather Android Banking Trojan Steals Through Mimicry

A banking Trojan is on a rampage thanks to its ability to mimic the appearance of more than 400 applications including leading financial and crypto exchange applications in 16 countries.

See Also: Finding a Password Management Solution for Your Enterprise

Research from security intelligence firm Group-IB says the Trojan, dubbed Godfather, reappeared in September with slightly modified WebSocket functionality after a three month pause in circulation.

Godfather is an upgraded version of the Anubis banking Trojan, whose code leaked online in 2019 (see: Botnet Watch: Anubis Mobile Malware Gets New Features). Godfather gets around Android security updates limiting Anubis through an updated command and control communication protocol. Its operators also removed several functionalities found in Anubis, such as the ability of the Trojan to encrypt files, record audio, or parse GPS data.
Group-IB researchers aren’t entirely sure how Godfather infects devices, but suspect one method is malicious apps on the Google Play store.

A signature feature of Godfather is using fake login pages that appear like the real thing to trick unsuspecting users into giving up credentials. Godfather transmits credentials onto the real financial service app while also exfiltrating any push notification one-time passcodes used for second-factor authentication. The object is to gain access to accounts with money, and drain them.

The Trojan establishes persistence by…