A android malware is wreaking havoc in different parts of the world, infecting mobile devices to steal access credentials to hundreds of banks and cryptocurrency platforms. As reported BleepingComputeris about GodFatherwhich is not exactly a new threat, but which has evolved in recent times to become very dangerous.
The simplest explanation of how GodFather works is the following. Once the malware infects an Android phone or tablet, it scans the device for specific apps to attack. If it detects that the apps you are targeting are on the device, you can fake login screen to them to trick users into entering their username and password.
Of course, the entire process is much more complex than that, and makes it clear that this malicious software has reached a very important level of sophistication. Regarding its distribution, security specialists have mentioned that, although apps with this malware have been found in the Google Play Store, the primary method of infection is still unknown.
A noteworthy fact is the number of applications targeted by GodFather. So far, this Android malware is capable of impersonating 419 finance apps. Of the total, 215 correspond to banks; 110 are from exchanges of cryptocurrencies and the remaining 94 of wallets of cryptoactives.
While the reach of this malware is global, most of the affected banking apps are from financial institutions in the United States. In the case of Spainthere have been attacks falsifying the access screen of 30 banking apps.
GodFather, an Android malware that targets banks and cryptocurrency platforms
If the malware manages to get onto an Android device, it will impersonate Google Protect to run a supposed security scan. A) Yes, request access to Accessibility services for a tool that, at first glance, does not generate much suspicion. However, once it succeeds, it “takes over” the operation of the mobile.
BleepingComputer details that the malicious software achieves such control over the infected phone that it makes it impossible to remove the Trojan. But not only that. It is also able to access text messages and notifications, record screen, make calls, save data on external storage media, and even capture the unique use codes of apps like Google Authenticator.
But if you wonder how he manages to fake the access screens to the banking and cryptocurrency apps, the story becomes even more complex. Being connected to a C2 server —”command and control”—, this Android malware sends a list of applications installed on the device. If it detects the presence of any of the apps compatible with the attack, download a fake login form that is compatible.
But that is not all. The malware does not impersonate the login screen and then wait for the user to open the affected app and enter their username and password. What it also does is create fake notifications of the applications in question, which trick users into entering their credentials.
A Trojan with more than one trick up its sleeve
Another thing to consider is that the malware will attempt to steal the credentials of any Android device it infects. Even if the mobile does not have any of the more than 400 apps that it tries to attack installed. What do you do in these cases? Can record screen to capture the username and password that users use in other banks or crypto platforms.
As a last curious fact, GodFather scans the language of the infected mobile and does not attack those who have it configured in specific languages. Such the cases of Russian, Azerbaijani, Armenian, Belarusian, Kazakh, Kyrgyz, Moldovan, Uzbek or Tajik. This leads security experts to assume that the malware comes from Russia or other territories outside the Soviet Union.