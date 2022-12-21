Multiple cybersecurity firms have confirmed the existence of Godfather, an Android banking malware that targets the victim’s banking and cryptocurrency accounts.

Experts from Group-IB, ThreatFabric, and Cyble have all recently reported on Godfather, its targets, and methodologies, with the malware attempting to steal credentials by duping legitimate banking and cryptocurrency apps (exchanges, wallets, and the like).

The group found that Godfather has targeted more than 400 different entities, most of them in the US (49), Turkey (31), Spain (30), Canada (22), France (20), Germany (19), and the UK (17).

Multiple infection vectors

In addition, the malware analyzes the endpoint it has infected, and if it determines that the language of the device is Russian, Azerbaijani, Armenian, Belarusian, Kazakh, Kyrgyz, Moldovan, Uzbek or Tajik, the whole operation shuts down. the researchers believe the threat actors are of Russian descent.

The exact number of infected devices is impossible to determine as Play Store is not the only infection vector. In fact, the malware has had relatively limited distribution through Google’s app repository and its main distribution channels have yet to be discovered. What we do know, courtesy of Cyble’s research, is that one of the malicious apps has over 10 million downloads.

But when a victim downloads the malware, they must first give it permission. Therefore, in some cases, it imitates “Google Protect” and requests access to the accessibility service. If the victim does this, the malware will take over text messages and notifications, start recording the screen, exfiltrate contacts and call lists, and more.

Enabling the accessibility service makes the malware even more difficult to remove and also allows threat actors to exfiltrate one-time Google Authentication passwords.

The researchers also said the malware has additional modules that can be added, giving it additional functions such as launching a VNC server, enabling silent mode, establishing a WebSocket connection, or dimming lights. the screen.

Through: Beeping computer (opens in new tab)