Enlarge image
Financial and payment services (icon image): »Godfather« targets more than 400 such services
Photo: Monika Skolimowska / dpa
Things got unchristian shortly before Christmas: “Godfather” had already targeted 419 online banking apps, cryptocurrency wallets and trading venues around the world since mid-2019, according to the Singapore-based IT security company Group-IB.
The aim of the powerful-sounding malware, presumably distributed via infected Android apps, is to intercept access data - including two-factor notifications.
This allows criminals to hijack their victims' online accounts.
The Federal Financial Supervisory Authority (Bafin) is now also warning of the malware, since German bank customers could also be at risk.
"Godfather has been known to display fake websites from regular banking and crypto apps," the warning reads.
»If consumers log in via these websites, their login data will be sent to the cyber criminals.«
The warning does not reveal how »Godfather« is being distributed.
The Bafin only refers to a video by the Federal Office for Information Security (BSI), which deals with general tips for increasing security when using apps.
One of them is to only install apps from the official stores.
But that alone is not enough in the case of »Godfather«.
The malware is also sometimes found in deceptively real-looking versions of well-known apps that are offered in Google's Play Store - for example in a Turkish music app or a currency converter.
Users in post-Soviet countries want to spare the "Godfather" developers
When first called up, »Godfather« supposedly starts a scan for malware.
The developers imitate Google Play Protect, a Google-owned protection function that, among other things, checks apps on a smartphone that do not come from the Play Store for malware.
In fact, »Godfather« doesn't scan anything.
Together with the access to the operating aids in Android that is required at the same time, the Trojan only obtains the necessary permissions to hide in the background and be able to secretly become active.
It is also able to record keystrokes, record the screen, access SMS and push notifications, for example for two-factor authentication (2FA) and forward them to the criminals' control server.
Remarkable: »Godfather« checks the set system language.
Apparently, Russian, Belarusian, Kazakh, Azerbaijani, Armenian and Uzbek users, among others, are to be spared.
The Trojan will no longer be active with the appropriate language setting.
It can therefore be assumed, writes Group-IB, that the developers themselves speak Russian or come from the region.
Deceptive maneuvers when calling up the banking app
The Trojan checks which banking and crypto apps are installed on the device and displays websites that look exactly like them when they are accessed.
Group-IB's published analysis does not reveal how many times the deception has worked, how easy or difficult it is to detect the process, and how exactly the 2FA process is triggered.
The only thing that is clear is that anyone who enters their access data in the belief that they are using their usual banking app sends it to the criminals.
As a precautionary measure, Android users should ensure that Google Play Protect is activated and, above all, only load financial apps from the Play Store.
Google's protection function then checks apps in the store for malware in advance.
It is also advisable to call up the provider information for the app in the Play Store before installing it.
A fraud attempt may be noticed at this point.
Group-IB is originally a Russian company.
In mid-2022, it spun off its international operations, which have since been managed from Singapore.
In 2016, co-founder Ilya Sachkov made the Forbes list of the top 30 talents in the global IT business, but in 2021 he was arrested by the Russian authorities on suspicion of high treason.
pbe
