{"id":20895,"date":"2022-12-22T16:10:58","date_gmt":"2022-12-23T00:10:58","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2022\/12\/22\/news-14628\/"},"modified":"2022-12-22T16:10:58","modified_gmt":"2022-12-23T00:10:58","slug":"news-14628","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2022\/12\/22\/news-14628\/","title":{"rendered":"Godfather Android banking malware is on the rise"},"content":{"rendered":"

Researchers at Cyble Research & Intelligence Labs (CRIL)<\/a> have found a new version of the Android banking Trojan called Godfather.<\/p>\n

The new version of Godfather uses an icon and name similar to a legitimate application named MYT Music, which is hosted on the Google Play Store with over 10 million downloads.<\/p>\n

History<\/h2>\n

Group-IB researchers<\/a> established that Godfather is a successor of Anubis. Anubis was a widely used Android banking Trojan that lost popularity after its functionality got limited by Android updates and security vendors’ detection and prevention efforts.<\/p>\n

Godfather’s success is mostly due to its ability to create convincing lay-over screens for over 400 applications. This use of lay-over screens or web fakes, are basically HTML pages created by threat actors that display over legitimate applications. This allows the threat actors to harvest login credentials for banking applications and other financial services. The target apps include banking applications, cryptocurrency wallets, and crypto exchanges.<\/p>\n

The most popular target apps for the banking Trojan are in the United States (49 companies), Turkey (31), Spain (30), Canada (22), France (20), Germany (19), and the United Kingdom (17). The Trojan checks the system language of the infected device and shuts down if it is one of these: Russian, Azerbaijani, Armenian, Belarusian, Kazakh, Kyrgyz, Moldovan, Uzbek, or Tajik.<\/p>\n

Install<\/h2>\n

Several of the new Godfather samples were found masquerading as the MYT Müzik application which is written in the Turkish language. After installing it uses an icon and the name that are very similar to a legitimate application named MYT Music. MYT Music is a popular app with over 10 million installs.<\/p>\n

Getting permissions<\/h2>\n

To get the necessary permissions, the Trojan poses as Google Protect, which is a standard security tool found on all Android devices. It pretends to initiate a scan and asks the user for access to the Accessibility Service. Which makes sense to the user given that they think the app will scan the device. With access to the Accessibility Service, the Trojan can grant itself all the permissions it needs to steal information from the affected device.<\/p>\n

Capabilities<\/h2>\n

Once fully active, Godfather steals sensitive data such as SMS messages, basic device details including installed apps data, and the device’s phone number. It can also control the device screen, forward incoming calls of the victim’s device, and inject banking URLs. The Trojan is capable of initiating money transfers by making USSD (Unstructured Supplementary Service Data) calls without using the dialer user interface<\/p>\n

It sends the harvested data to the attacker. Who, in turn, now know which apps are installed and can inject HTML phishing pages that are most effective if the victim has the imitated app installed. The Command & Control (C2)<\/a> server’s URL is fetched from a Telegram channel.<\/p>\n

IOCs<\/h2>\n

For the variant posing as the MYT Muzik app CRIL provided:<\/p>\n

APK Metadata Information<\/p>\n