The Android banking Trojan Godfather has become a major threat. Now, after the BSI, the BaFin – Federal Financial Supervisory Authority – also felt it was necessary to issue a warning. The app now attacks victims using over 400 international targets, including banking apps, cryptocurrency wallets, and crypto exchanges. According to the test laboratory AV-TEST, some protection apps now recognize the danger and fend off Godfather.
The Godfather banking Trojan is up to mischief on Android and is very difficult to detect. Godfather's targets include financial service providers in Canada, France, Germany, the UK, Italy and Poland - they are the hardest hit. There are also 49 financial institutions based in the US, 31 in Turkey and 30 in Spain. Now warns the BSI and the BaFin.
Godfather shows perfectly fake websites
Whenever a user of an infected device visits their financial services provider's website, Godfather overlays real websites with fake websites. If a user enters the login data, these are tapped and forwarded. The malware then sends out push notifications to Codes for two-factor authentication. With this data, the cyber criminals may then be able to access users' accounts and wallets.
Infected app imitates Google Play Protect
The Android Trojan is still hidden in many apps from various app stores and probably also in the Google App Store. As soon as the app is started, it shows an animation of how Google Play Protect is scanning the system for infected apps. But the ad is just an animated fake.
The Trojan even checks the language used on the device. As soon as he encounters these languages, he does not become active:
- RU (Russia)
- AZ (Azerbaijan)
- AM (Armenia)
- BY (Belarus)
- concentration camp (Kazakhstan)
- KG (Kyrgyzstan)
- MD (Moldova)
- UZ (Uzbekistan)
- TJ (Tajikistan)
The Group IB experts, who examined the Trojan, therefore suspect that the developers are based in one of the countries listed.
Is there protection from Trojan Godfather?
An important detail about the Godfather Trojan is that it will not work if it is not granted access to the AccessibilityService on Android. The Accessibility Services enable an application to interact with other apps. An app with these rights then runs in the background as an operating aid and reacts to an event in another app, for example by overlaying screen content or automatically filling in text fields. This is the Trojan's trick.
AV-TEST: Only some apps recognize GodFather
Upon request from AV-TEST on January 08.01.2023th, XNUMX, whether protection apps for Android detect the GodFather malware, the result was still mixed. Protection apps for Android devices from Avira, DrWeb, Fortinet, ikarus, Kaspersky, Ahnlab, Sophos, Symantec and TrendMicro detect the threat.
Editor/sel