Godfather Android Trojan Masquerading as Crypto Calculator Discovered

By Ava McKinneyOnline Safety

Godfather Android Trojan Disguised as Crypto Calculator Detected

Cybersecurity firm Group-IB has reported the activity of the Godfather banking trojan targeting users of popular financial services on Android devices. According to their research, the trojan has victimized users of 215 international banks, 94 cryptocurrency wallets, and 110 crypto projects. The highest attack intensity was recorded in the United States, Turkey, Spain, Canada, France, and the United Kingdom.

Interestingly, Godfather avoids users from Russia and CIS countries: if the system settings contain one of these languages, the trojan will stop operating. Group-IB suggests that the developers of Godfather are likely Russian-speaking cybercriminals.

Group-IB specialists first detected the Godfather trojan in 2021. It resurfaced in the fall of 2022 with updated functionality. Godfather, which steals credentials from banking and crypto exchange clients, is based on a version of the Anubis banking trojan. The developers used Anubis’s source code as a foundation, adapting it for newer Android versions and enhancing its anti-detection mechanisms to bypass anti-fraud systems.

How Godfather Infects Devices

According to Group-IB, the Godfather loader was available on the official Google Play Store disguised as a crypto calculator. After installation, the app would prompt users to check their smartphone’s security, supposedly running the standard Google Protect app for 30 seconds. However, after displaying a 30-second animation, it would inform the user that no malicious apps were found.

During this process, Godfather would add itself to the device’s autostart, hide its icon from the list of installed apps, and obtain AccessibilityService permissions.

How the Attack Works

Once the user launched a mobile or web application for a bank, crypto exchange, or e-wallet, Godfather would display fake web pages (webfakes) over the legitimate apps. All data entered into these pages, including logins and passwords, would be sent to the attackers.

One notable feature of Godfather is that its command-and-control server address is stored in the description of a Telegram channel—a technique previously used in some versions of Anubis.

Source

Onion Market — a free P2P exchange on Telegram. We offer XMR, BTC, and USDT.TRC20.

Leave a Reply