After a brief hiatus, the newly prevalent Godfather Android malware has returned with a vengeance, targeting over 400 international financial institutions. The Android trojan creates fake login pages in order to steal customer login information, and that’s just the beginning. In an attempt to gain complete control of devices, Godfather also mimics Google’s pre-installed security tools.
Group I-B, a malware analytics firm, discovered Godfather, with the first samples appearing in June 2021. This malware is thought to have evolved from Anubis, another well-known bank hacker. Godfather circulated in low concentrations until June 2022, when it vanished. It appears that the operators were simply working on a new version.
In September of this year, Godfather returned with a vengeance, targeting a whopping 400 financial institutions: 215 international banks, 94 cryptocurrency wallets, and 110 crypto exchanges.
When Godfather is installed on a device, it generates fake login pages from which it can obtain usernames and passwords. Many banks and crypto firms require additional logins, which is where Godfather’s other mechanisms come in handy. Following installation, the malware poses as a Google Play Protect alert. Some users will grant the malware access control after mistaking this for a legitimate popup from Android’s default security suite. Godfather can then record the screen, read SMS, send fake notifications, make calls, and do other things to compromise a bank account or crypto vault.
The malware appears to be spreading through the Play Store via decoy apps. Group I-B has not determined who created and profits from Godfather, but it has a strong suspicion that they speak Russian. The malware contains a kill switch that checks the OS language setting. If it discovers that the default language is one spoken in former Soviet states (other than Ukrainian), it will shut down rather than steal data. It’s not a smoking gun, but it’s certainly suspicious.
Following an examination of Telegram channels, Group I-B concludes that Godfather is an example of Malware-as-a-Service (MaaS). The creators essentially license the malware to third parties, who can provide them with juicy financial details without having to develop the malware and infrastructure. It is aimed at institutions all over the world, including the United States (49 locations), Turkey (31), Spain (30), and Canada (22). If you suspect an infection, disable accessibility in all installed apps (usually found under Settings > Accessibility) and change your important passwords on a different device.
