Android Banking Trojan Steals Through Mimicry

Trojan Impersonates More Than 400 Financial and Crypto Exchange Apps

The Godfather banking Trojan is causing serious issues in the financial sector due to its ability to mimic the appearance of more than 400 applications, including leading financial and crypto exchange applications. So far, it has targeted institutions in 16 countries.

Research from security intelligence firm Group-IB says the Godfather Trojan reappeared in September with slightly modified WebSocket functionality after a brief three-month pause in circulation.

A signature feature of Godfather is using fake login pages that appear to be the real thing to trick unsuspecting users into giving up credentials. Godfather transmits credentials onto the real financial service app while also exfiltrating any push notification one-time passcodes used for second-factor authentication. The object is to gain access to accounts with money and drain them.

Godfather is an upgraded version of the Anubis banking Trojan. It gets around Android security updates limiting Anubis through an updated command-and-control communication protocol. Group-IB researchers aren’t entirely sure how Godfather infects devices but suspect one method is malicious apps on the Google Play store.

The Trojan establishes persistence by emulating a security feature that asks users’ permission to scan the device. The scan actually pins a “Google Protect” notification and hides the Trojan icon from the list of installed applications. It then seeks to obtain access to additional layers of Android functionality by requesting the user approve access to the AccessibilityService, an operative system feature meant to allow developers to adapt apps to users with disabilities.

So far, Godfather has targeted users of 215 banks, 94 crypto wallet providers and 110 crypto exchange platforms.

If you have questions about the IT security threats that could impact your bank and ways to mitigate them, call ITPAC today.