The new malware was designed to collect user data, and it is targeting primarily banking and cryptocurrency applications. Once it infects a device, the malware begins to display fake websites of regular banking and crypto apps in order to steal the login data of users. BaFin revealed that the malware is targeting around 400 banking and crypto apps, including those operating in Germany.
We also know that Godfather relies on push notifications to obtain two-factor authentication codes, and that cybercriminals can use this data to gain access to consumers’ accounts and wallets.
Godfather first came into the spotlight in December 2022, when reports surfaced that it was infecting Android devices and targeting users in 16 countries. The Godfather trojan was reportedly uncovered for the first time in 2021 by cybersecurity experts from Group-IB. Since then, the malware has been improved via code upgrades, and it is now predominantly targeting banking apps from the US.
Other affected countries include Germany, Spain, Turkey, and Canada. Godfather can affect 110 cryptocurrency exchange platforms and 94 cryptocurrency wallet apps according to cointelegraph.com.
According to pcrisk.com, once Godfather is installed, it begins to imitate the Google Protect tool. While doing so, it asks the user for access to the Accessibility Service. If the user grants access to the Accessibility Service, the malware can access SMSs, contacts, and notifications. It can also record the user’s screen, make calls, and write to external storage.
By taking advantage of the Accessibility Service, Godfather can prevent victims from removing the malware from their devices. It can also obtain Google Authenticator one-time passwords, steal data from PIN and password fields, and process various commands.
It is worth noting that the malware does not operate on Android devices that have their language set to, Azerbaijani, Belarusian, Kazakh, Kyrgyz, Moldovan, Russian, Tajik, Uzbek or Armenian.
The malware is being distributed using deceptive applications on Google Play Store mimicking legitimate applications. Some of the symptoms of an infected device include system settings being modified without the user’s permission, general sluggish performance, an increase in data and battery usage, intrusive advertisements, and browsers redirecting to questionable websites.
In order to prevent infection, users should make sure that Google Play Protect is always enabled on their devices. Moreover, they should be careful when opening links or files received via email or SMS.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now