Researchers have identified an Android banking trojan dubbed Godfather targetting over 400 banking and crypto applications in 16 countries. It’s believed to be the successor of Anubis banking trojan.
Its features have upgraded with C2 communication and implementation, a modified traffic encryption algorithm, a new module for managing virtual network computing connections, and updated functionality such as Google Authenticator OTPs.
The trojan uses web overlays on the infected device to steal login credentials, bypass two-factor authentication (2FA), and gain access to the victim’s account.
The malware capabilities include recording the device’s screen, create VNC connections, launch a keylogger, exfiltrate push notifications and SMS messages, send SMS messages, forward calls, execute USSD requests, launch proxy servers, enable silent mode, and establish WebSocket connections.
It uses malicious downloader applications hosted on Google Play Store and can imitate Google Protect, but without providing the actual scanning functionality. The threat can also be distributed using malware-as-a-service.
The trojan achieves persistence on the device after infection, creates a pinned notification, and hides its icon. It also requests access to the Accessibility service, which, once granted, allows it to issue itself the permissions it needs to operate unobstructed on the device.
The threat collects device information and sends it to its C&C server, including network operator name and country code, phone status, default device user agent, bot ID, installed applications, Android version, device model, and details on whether required permissions have been granted.
Godfather targeted banks are in the US (49), Turkey (31), and Spain (30), but the malware also targets banking applications in Canada (22), France (20), Germany (19), and the UK (17).
Godfather appears to be operated by Russia, as it stops its malicious routine if it detects a language used in the former Soviet Union countries.