Group IB, a cybersecurity company, just disclosed more recently-discovered details about the GodFather Trojan, an Android Trojan they have first uncovered back in June 2021. It turns out that this Trojan has claimed over 400 victims all over the world, including banking applications, cryptocurrency wallets, and crypto exchanges.
First publicly mentioned by ThreatFabric, GodFather briefly disappeared between June and September this year, only to resurface with a new update. Its function, like many other Trojans, is to steal user credentials with a fake overlay screen on top of the targeted applications. It contains code that lets it bypass two-factor authentication by abusing Android APIs to record screens, log keystrokes, capture screenshots, and harvest SMS and calls.
So far, 215 international banks, 94 cryptocurrency wallet providers and 110 crypto exchange platforms have fallen victim to this Trojan, which includes 49 companies from the United States, as well as 30 Spanish companies. Other listed countries included Turkey, Canada, France, Germany, UK, Italy, and Poland.
However, interestingly enough, the Trojan shuts down when users with a system preference includes at least one of the post-Soviet countries’ languages, or if it is launched in an emulator. Group IB believes that the former suggests that GodFather’s developers are Russian speakers.
Group IB also writes that GodFather could have been distributed via Google Play apps. GodFather holds four command-and-control addresses, one of which belongs to an app named Currency Converter Plus (com.plus.currencyconverter) — hosted on the Google Play Store in June 2022. This application is no longer available for download.
GodFather could masquerade as the Google Play Protect service, emulating the Google application. During the emulated scanning animation, it creates a pinned notification and hides its icon from the list of installed applications. Other than that, it could also be disguised as the Turkish MYT Müzik App, using a similar icon and name. As these are the only artifacts found by Group IB and Cyble, there could be more out there, warns Group IB.