Godfather Banking Trojan Masquerades as Legitimate Google Play App - Dark Reading

A benignant of Android malware that's been targeting banking users worldwide since March has resurfaced with precocious obfuscation methods, masquerading arsenic a morganatic exertion connected the Google Play store with much than 10 cardinal downloads, researchers person found.

Godfather is simply a banking Trojan that is champion known for targeting banking users successful European countries, but its latest enactment shows an accrued sophistication successful its quality to alert nether the radar of communal malware-detection methods, researchers from Cyble Research & Intelligence Labs (CRIL) said successful a blog post connected Dec. 20.

Once it's successfully installed connected a victim's device, Godfather initiates a bid of emblematic banking Trojan behaviors, including stealing banking and crypto-exchange credentials, the researchers said. But it besides steals delicate information specified arsenic SMSs, basal instrumentality details — including information from installed applications — and the device's telephone number, and it tin execute a fig of nefarious actions silently successful the background.

"Apart from these, it tin besides power the instrumentality surface utilizing VNC [virtual web computing], forwarding incoming calls of the victim's instrumentality and injecting banking URLs," the Cyble researchers wrote.

The latest illustration of Godfather that researchers discovered was encrypted utilizing customized encryption techniques that could evade detection by communal antivirus products — a caller maneuver of the menace actors down the malware, the researchers said.

Targeting Businesses & Consumers

Upon further examination, the researchers recovered that the malware was utilizing an icon and sanction akin to the morganatic Google Play app MYT Music, which already has logged much than 10 cardinal downloads. Indeed, menace actors often hide malware connected Google Play, contempt Google's champion efforts successful the past respective years to support atrocious apps disconnected its store earlier users are affected by it.

MYT Music was written successful the Turkish connection and frankincense researchers presume the Godfather illustration they discovered is targeting Android users successful Turkey. However, they fishy different versions of the malware proceed to beryllium progressive and targeting banking users worldwide.

Though banking Trojans thin to impact consumers much than the enterprise, concern users are still astatine risk due to the fact that they usage their mobile devices astatine enactment and whitethorn adjacent person concern apps and information stored connected their devices. For this reason, endeavor users should beryllium particularly wary of downloading apps from the Internet oregon opening immoderate links received via SMS oregon emails delivered to a mobile phone, the researchers said.

Google Play has removed the app, but those with it installed are inactive astatine risk.

How Godfather Pulls Victims' Strings

Once it's installed connected an Android device, Godfather requests 23 antithetic permissions from the device, abusing a fig of them to summation entree to a user's contacts and the authorities of the device, arsenic good arsenic accusation related to the idiosyncratic account. It besides tin constitute oregon delete files successful outer retention and disable the keylock and immoderate associated password security, the Cyble researchers said.

Godfather tin successfully bash wealth transfers from a hacked instrumentality done its quality to initiate telephone calls done Unstructured Supplementary Service Data (USSD) that don't necessitate usage of the dialer idiosyncratic interface, and frankincense don't request the idiosyncratic to corroborate the call, they said.

The malware besides extracts delicate idiosyncratic information from the instrumentality — including exertion cardinal logs — that tin beryllium sent backmost to a command-and-control (C2) server, which besides sends Godfather a bid that forwards immoderate incoming calls the unfortunate receives to a fig provided by the menace actor, the researchers said.

Godfather past harvests credentials: It creates an overlay model successful the OnAccessibilityEvent method and injects HTML phishing pages via a abstracted bid from C2, the server URL of which is from a Telegram channel, hxxps://t[.]me/varezotukomirza, the researchers said.

Once it completes its malicious activity, Godfather receives a "killbot" bid from C2 to self-terminate, they added.

Avoiding Being Whacked by Godfather

The astir communal mode to debar downloading mobile app malware is to download and instal bundle lone from authoritative app stores specified arsenic Google Play oregon Apple, the accepted contented goes.

However, arsenic this lawsuit proves, malware tin lurk successful authoritative app stores too, truthful "practicing basal cyber-hygiene crossed mobile devices and online banking applications efficaciously prevents specified malware from compromising your devices," the researchers noted successful the post, including using a reputable antivirus and Internet information bundle bundle connected connected devices to guarantee thing downloaded is escaped from malware.

Also, precocious anti-detection methods similar the ones the menace actors down Godfather are utilizing tin marque adjacent downloading what look similar morganatic apps tricky, they said. To further support themselves, users tin utilize beardown passwords and enforce multifactor authentication connected devices wherever possible, making it much hard for menace actors to ace into their accounts. 

Android instrumentality users besides should guarantee that Google Play Protect is enabled connected their devices for further information protection, the Cyble researchers added.

All mobile instrumentality users besides should alteration biometric information features specified arsenic fingerprint oregon facial designation for unlocking the mobile instrumentality and utilizing apps, where possible, and beryllium particularly cautious erstwhile enabling permissions connected devices, particularly if an app has not been verified by a reputable provider, they added.