Godfather uses 'web fakes' to serve-up a 'banking trojan that's impossible to refuse' - SC Media

American histrion Marlon Brando is seen successful a inactive representation from the film, "The Godfather." (Photo by Paramount Pictures/Courtesy of Getty Images)

Using imagery and verbiage from the iconic movie starring Marlon Brando, researchers reported that the Android banking trojan Godfather has been utilizing “web fakes” to onslaught much than 400 targets crossed 16 countries, including mobile banking applications, cryptocurrency wallets, and crypto exchanges.

In a Dec. 21 blog post, Group-IB researchers explained that Godfather has been designed to fto cybercriminals harvest login credentials for mobile banking applications and different fiscal services — and past drain the accounts. It should beryllium noted that the Group-IB blog does not connection an estimation of the full fiscal impact.  

Group-IB archetypal detected Godfather successful June 2021. In March 2022, researchers astatine Threat Fabric first mentioned the banking trojan publicly. A fewer months later, the trojan was taken retired of circulation. Group-IB researchers judge Godfather was taken retired of usage truthful developers could update the malware. Godfather reappeared successful September, present with somewhat modified WebSocket functionality. Godfather’s predecessor is Anubis, different banking trojan. The researchers said Godfather’s developers utilized Anubis root codification arsenic a ground and modernized it for newer versions of Android.

The researchers accidental arsenic of October, 215 planetary banks, 94 cryptocurrency wallets, and 110 crypto exchanges person fallen unfortunate to Godfather. Financial services providers successful Canada, France, Germany, UK, the United States, Italy, Poland, Spain, and Turkey, among galore others, were targeted.

Of involvement to Western countries, the researchers accidental Godfather spares users successful post-Soviet countries. If the imaginable victim’s strategy preferences see 1 of the languages successful Eastern Europe, the trojan shuts down. This could perchance suggest that Godfather’s developers are Russian speakers, accidental the researchers.

Like astir different Android-based malware, Godfather is besides delivered by a fake exertion that uses a sanction and icon akin to a fashionable app oregon game, said Venky Raju, Field CTO of ColorTokens. Unsuspecting users download the phony app and get infected, truthful Raju said users request to beryllium precise cautious erstwhile downloading applications to their mobile devices. 

“On desktop browsers, we person learned to look astatine the URL intimately to guarantee it’s not a fake tract and we request to workout the aforesaid caution connected mobile instrumentality app stores,” said Raju. “This is much of an contented connected Android devices arsenic Google Play does not workout choky controls connected developer submissions. Even though Google removes malicious applications arsenic soon arsenic they go alert of it, galore unsuspecting users get impacted.”

Dangerous malware has made its mode onto mobile phones and galore developers and app publishers inactive judge that the app stores from Google and Apple are protected from being infected with malware, said Will LaSala, Field CTO astatine OneSpan. LaSala said with this caller Godfather trojan, it’s important to recognize that malware evolves arsenic rapidly arsenic the large app stores tin instrumentality them down, truthful developers and app publishers should guarantee their applications are protected with app shielding, beyond what these stores tin offer. 

“The trojans of contiguous absorption connected circumstantial types of attacks, which tin beryllium stopped by app shielding being applied to an exertion earlier they tin origin damage,” LaSala said. “App shielding is simply a process of hardening the exertion earlier it’s published to the app store. It volition support from surface readers, room injection, and adjacent app store repackaging — which is however galore trojans are being deployed now. Trust successful the large app store providers should beryllium evaluated, and further exertion should beryllium applied to support users.”