The researchers believe that the Godfather, a banking trojan Android malware, could be the replacement of the Anubis; well, Anubis was a banking trojan Android malware that was widely used, although, in the end, it wasn’t used due to its inability to bypass newer Android defenses. ..
The Android malware, Godfather, creates a login display on the top of the banking & cryptocurrency exchange app login page when the victim tries to login into the website. The display is deceiving the victims into entering the correct credentials on well-made HTML phishing pages.
The Android malware, first discovered in March 2021 by Threat Fabric, has seen some significant improvements and upgrades in its code since then. This malware is particularly dangerous because it can be used to steal personal information from users, including their addresses, phone numbers, and other sensitive information.
Android malware is on the rise, and a fake music app is to blame. ..
The Google Play Store apps are home to a small number of malware infections, but the researchers are still not sure which distribution mode is the primary one. This means that initial infection methods are unknown.
Android malware-targeted apps are mostly banking apps from the United States, Turkey, Canada, France, Germany, Spain, and the United Kingdom. These apps also target cryptocurrency exchange platforms and cryptocurrency wallet apps. ..
The trojan is set to check the system language, and if it is Russian, Armenian, Kazakh, Kyrgyz, Moldovan, Uzbek, etc., then it will not function. This indicates the people behind Godfather trojan speak Russian and are probably residents of the Commonwealth Independent State) Region. ..
If you’re ever worried about your Android device being hacked, then you should install Google Play Protect. It’s a standard security check that’s available on all Android devices. If you’re ever worried about your Android device being hacked, then you should install Google Play Protect.
The objective of the scanning is to request Accessibility services that look like a legitimate tool, and once the target approves the request, then the malware can give itself all of the permissions it needs to carry out all of its malicious activities. ..
The malicious activities include access to notifications and Messages, contacts, making phone calls, writing to external storage, and reading the handset status.
The threat actor has been targeting telecom service providers and altering their defensive methods when they are detected. This is a threat to the security of the telecom industry and the public.
In order to prevent the victim from removing the malware and also filtrating the Google Authenticator code (OTPs), Accessibility services are exploited. This allows attackers to steal passwords, pins, and commands.
Android malware exfiltrates the list of apps to receive matching (Fake HTML logins to steal the credentials) from the C2 server. This allows attackers to steal user credentials and access sensitive information.
The Threat Fabric researchers say that the web fake mimics the login pages for legitimate applications, and all the data entered into the fake HTML pages, such as usernames and passwords, is then exfiltrated to C&C servers.
The Android malware can send fake notifications from the infected apps on the victim’s handset, so it does not have to wait for the infected app to open and the apps which aren’t on the Godfather lists, the Android malware uses its screen recording feature to record the credentials that the victim enters in the fields.
The Godfather accepts the following commands from the C2 server.
Android malware features components that enable it to execute actions like keylogging, recording the screen, turning on the silent mode, starting a VNC server, locking the display, and exfiltrating and blocking notifications.
There is currently no consensus on who created Godfather malware, but it is possible that the same attackers who created Anubis and other malware could also create Godfather. This new malware could be more sophisticated and dangerous than any of the existing variants, and could be used to steal confidential data or to attack other systems. If this is the case, it would be a major threat to businesses and individuals.
Both malware use similar methods to receive the C2 address, execute C2 commands, use the fake web method, use the proxy mode. ..
The trojan includes a VNC server method, screen recording method, and added a process to steal Google Authenticator.
A hacker group used compromised corporate emails to send phishing messages, according to a report. Muddy Water was used in the attack, which is said to have occurred between late-2015 and early-2016. The group is said to have been using the emails for spamming purposes.