Many cybersecurity companies have confirmed the existence of The Godfather, an Android bank malware was found targeting the victim’s bank account and cryptocurrency.
Experts at Group-IB, ThreatFabric, and Cyble all recently reported on The Godfather, its goals and methods, showing that the malware attempts to steal login data by overlaying applications. banking and legal cryptocurrencies (exchanges, wallets, etc.).
The team found that The Godfather had targeted more than 400 different entities, most of them in the US (49), Turkey (31), Spain (30), Canada (22), France (20), Germany (19), and the United Kingdom (17).
Multiple infection vectors
Moreover, malware analysis final point it has infected and if it determines that the device language is Russian, Azerbaijani, Armenian, Belarusian, Kazakh, Kyrgyz, Moldovan, Uzbek or Tajik, it will disable all operations action – leading some researchers to believe that the threat actors originated in Russia.
It is not possible to determine the exact number of infected devices because the Play Store is not the only mediator of infection. In fact, the malware has a relatively limited distribution through Google’s app store, and the main distribution channels remain undetected. What we do know, thanks to Cyble’s research, is one of the malicious apps with over 10 million downloads.
But when a victim downloads malware, they need to first grant it permission, which is why in some cases it mimics “Google Protect” and asks for access to Translations. assistance service. If the victim provides it, the malware takes over SMS messages and notifications, initiates screen recording, filters contacts and call lists, etc.
By enabling Accessibility Services, malware is even more difficult to remove and also allows threat actors to steal Google Authentication one-time passwords.
The researchers also said the malware has additional modules that can be added, giving it additional features such as launching a VNC server, enabling silent mode, setting up connections connect WebSocket or dim the screen.
Via: BleepingComputer (opens in a new tab)
