After disappearing for several months, the new trending godfather Android malware is back with a vengeance, targeting more than 400 international financial institutions. The Trojan creates fake login pages to collect customer login details, and that’s just the beginning. Godfather also mimics Google’s pre-installed security tools in an attempt to gain complete control over devices.
Godfather was discovered by malware analytics firm Group IB, with the first samples appearing in June 2021. It is believed that this malware originated from another popular bank hacker known as Anubis The Godfather aired on a low level until June 2022, when it disappeared. It seems the operators were just preparing a new version. The Godfather came back with a vengeance in September this year, targeting a whopping 400 financial institutions: 215 international banks, 94 cryptocurrency wallets and 110 crypto exchanges.
Once installed on a device, Godfather will create fake login pages, which it can use to obtain usernames and passwords. Many banks and crypto firms have additional login requirements, and that’s where Godfather’s other mechanisms come into play. After installation, the malware disguises itself as a Google Play Protect alert Thinking it’s a legitimate popup from Android’s default security suite, some users will grant the malware accessibility controls. At that point, Godfather can record screens, read SMS, stop fake notifications, make calls and more — everything necessary to compromise your bank account or crypto vault.
The malware appears to be spreading through decoy apps on the Play Store. Group IB has not determined who created and profited from the Godfathers, but they highly suspect they are Russian speakers. The malware has a kill switch that checks the OS language setting. If it finds that the default language is one of the languages spoken in former Soviet states (except Ukrainian), it will shut down instead of stealing data. It’s not exactly a smoking gun, but it’s pretty suspicious.
After evaluating Telegram channels, Group IB believes that Godfather is an example of Malware-as-a-Service (MaaS). Manufacturers essentially license malware to third parties, which can provide them with juicy financial details without the hassle of developing the malware and infrastructure. It targets institutions all over the world, including the United States (49 sites), Turkey (31), Spain (30) and Canada (22). If you think you’ve been infected, remove accessibility from all installed apps (usually under Settings > Accessibility) and change your important password using a different device.