The Federal Financial Supervisory Authority (BaFin) warns about the “Godfather” malware, which is currently recording user input on banking and crypto apps. Android devices are affected.

“Godfather” attacks around 400 financial service providers

The malware is said to attack a total of around 400 banking and crypto apps, including those from operators in Germany.

According to BaFin, it is still unclear how exactly the malware infects the app users' devices. What is known, however, is that victims unknowingly try to log into their accounts via fake websites on regular banking and crypto apps. However, after entering the login details, the victims do not gain access to their accounts, but rather the cybercriminals gain access to the highly sensitive account credentials during this login attempt.

Two-factor authentication also at risk from “Godfather”.

Additionally, push notifications are sent to victims to receive the two-factor authentication codes. Together with the phished access data, the perpetrators then have, in the worst case scenario, free access to their victims' accounts and online wallets.

The malware also sends push notifications to obtain the codes for two-factor authentication. With this data, cybercriminals may be able to access consumers' accounts and wallets.

What can you do?

In a video from the Federal Office for Information Security (BSI), consumers can find out practical tips on how to safely use apps on mobile devices.

available on the BSI website .

However, according to the IT security specialists at Group IB, “Godfather” is already an old acquaintance. An analysis of the Trojan at the end of 2022 revealed that “Godfather” is based on malware called Anubis. Their source code has now been adapted to newer Android versions and is being offered to interested cybercriminals as malware-as-a-service on relevant Telegram channels. This means that the actual malware for attacks can be rented and does not have to be developed in-house. A business model that is reportedly quite successful.

“Godfather” attacks financial institutions worldwide.

The Godfather malware attacked more than 400 international financial companies between June 2021 and October 2022. Of these, 215 were international banks, 94 were cryptocurrency wallets and 110 were crypto exchange platforms. 49 of these companies came from the USA, 31 from Turkey and 30 from Spain. Financial service providers from Canada, France, Germany, the United Kingdom, Italy and Poland are among those most affected.

The functions of “Godfather” are very broad. The malware can take screenshots of the victim's device, establish VNC connections, launch keyloggers, trigger push notifications to bypass two-factor authentication, forward calls for the same purpose, execute USSD requests, send SMS messages from infected devices, Start proxy server and establish WebSocket connections.

While Bafin has not yet commented on how the Trojan gets onto app users' devices, Group IB assumes, based on the malware's infrastructure, that the banking Trojan is distributed via Google Play using fake or deceptive apps. As an example, Group-IB cites an app called Currency Converter Plus. Other versions spoof device scanning with Google Play Protect, giving users a false sense of security that Google security tools are protecting them from malware.

Clues on the origins of “Godfather”

Interesting clues about the origin of the dangerous malware are hidden in the language settings of the malware. “Godfather” checks the system language and if one of the following languages ​​is set, it automatically stops its activities:

  • RU (Russia)
  • AZ (Azerbaijan)
  • AM (Armenia)
  • BY (Belarus)
  • Concentration camp (Kazakhstan)
  • KG (Kyrgyzstan)
  • MD (Moldova)
  • UZ (Uzbekistan)
  • TJ (Tajikistan)

What protective measures?

As a protective measure, Group-IB suggests keeping your Android device up to date and checking for updates regularly, as newer Android versions are less vulnerable to banking Trojans.

Apps should only be downloaded from Google Play - even if that doesn't provide 100% protection, as in this case. The requested rights should be thoroughly checked. In the case of the “Godfather” Trojan, communication to the server can only take place after access to AccessibilityService has been granted. Recipients should also not follow links from SMS.

Inquiry to Bafin about contradictions in the information available

If you compare the information in the Bafin warning or the open questions with the statements from Group IIB from December 2022, the question immediately arises as to why Group IB seems to know the infection route well, while it is apparently still unknown to Bafin is.

Heise also raises exactly this question online and has sent a request to the Bafin:
Why is there now a warning about the malware? Why is the information on the route of infection not available when relevant analyzes were already published in December? An answer is currently pending.

Ultimately, the question still remains open as to why there are always apps available in the supposedly well-secured Google Play Store that inject malware onto end devices. Relying on the security of the Play Store is not enough. Good, up-to-date virus protection programs provide additional protection.

Source:

BaFin , Group IB , Heise Online
Already read? A current Mimikama fact check: New Year's video with firearms


If you enjoyed this post and value the importance of well-founded information, become part of the exclusive Mimikama Club! Support our work and help us promote awareness and combat misinformation. As a club member you receive:

📬 Special Weekly Newsletter: Get exclusive content straight to your inbox.
🎥 Exclusive video* “Fact Checker Basic Course”: Learn from Andre Wolf how to recognize and combat misinformation.
📅 Early access to in-depth articles and fact checks: always be one step ahead.
📄 Bonus articles, just for you: Discover content you won't find anywhere else.
📝 Participation in webinars and workshops : Join us live or watch the recordings.
✔️ Quality exchange: Discuss safely in our comment function without trolls and bots.

Join us and become part of a community that stands for truth and clarity. Together we can make the world a little better!

* In this special course, Andre Wolf will teach you how to recognize and effectively combat misinformation. After completing the video, you have the opportunity to join our research team and actively participate in the education - an opportunity that is exclusively reserved for our club members!


Notes:
1) This content reflects the current state of affairs at the time of publication. The reproduction of individual images, screenshots, embeds or video sequences serves to discuss the topic. 2) Individual contributions were created through the use of machine assistance and were carefully checked by the Mimikama editorial team before publication. ( Reason )