Godfather banking Trojan has deep roots in older code.
N2K logoDec 21, 2022

Godfather, son of Anubis, has some lineage in the banking Trojan world.

Godfather banking Trojan has deep roots in older code.

Group-IB reported Wednesday morning, December 21st, 2022, that the Godfather banking Trojan is currently in wide use against popular financial services worldwide. The researchers say, "Godfather is designed to allow threat actors to harvest login credentials for banking applications and other financial services, and drain the accounts. To date, its victims include users of over 400 international targets, including banking applications, cryptocurrency wallets, and crypto exchanges." The malware is based on the old Anubis Trojan, updated and improved. Godfather is offered in the C2C malware-as-a-service market, and it's distributed in the form of Trojanized applications, Group-IB says, sold in Google Play.

Target selection suggests the Godfather's connection to the Russian mob.

Significantly, the researchers say, “Godfather shuts down on an infected device if it detects that the user is from Russia or a CIS country,” the Commonwealth of Independent States still being treated as more-or-less friendly to Russia. The victims have in other respects been fairly widely distributed. "Godfather’s targets include 49 US-based companies, 31 Turkish-based companies, and 30 Spanish-based companies," Group-IB said. "Financial services providers in Canada, France, Germany, UK, Italy, and Poland were also among the most affected."

How Godfather evades detection.

And Godfather seems to have had some success in flying under the incautious user’s radar. Group-IB writes, “By imitating Google Protect, Godfather can easily go undetected on infected devices. Unwitting users believe they are being protected by an Android service, but in fact, the malicious actors gain access to their banking and financial portal accounts. While Group-IB does not have definitive data on the amount of money stolen by operators of Godfather, the methods harnessed by malicious actors are cause for concern.”

Ways in which the Godfather departs from its Anubis predecessor.

Group-IB observes that, “The case of Godfather highlights how quickly Trojan developers can adapt their tools and stay one step ahead of their Android counterparts. Additionally, it shows how easily available source code, such as that of Anubis, can be modernized and relaunched, especially under the Malware-as-a-Service model.” Godfather dropped some unnecessary functionality (like encryption) and added others. "Godfather overlays web fakes on infected devices that appear when a user interacts with a decoy notification or tries to open one of the legitimate applications targeted by Godfather," the researchers observe. "Any data, such as usernames and passwords, entered on the web fakes are harvested by the threat actors. Godfather can also exfiltrate SMS and push notifications to bypass two-factor authentication."

Will LaSala, Field CTO at OneSpan, explains that the intrusion of malware into app stores is part of the inevitable back-and-forth between criminal activity and legitimate commerce.

“Dangerous malware is making its way onto users’ mobile phones, and many developers and app publishers still feel that the app stores from Google and Apple are protected from being infected with malware. With this new “Godfather” trojan, it is important to understand that malware evolves as quickly as the big app stores can take them down. Developers and app publishers should ensure their applications are protected with app shielding, beyond what these stores can offer. 

"The trojans of today focus on specific types of attacks, which can be stopped by app shielding being applied to your application before they can cause damage. App shielding is a process of hardening the application before it is published to the app store. It will protect from screen readers, library injection, and even app store repackaging - which is how many trojans are being deployed now. Trust in the big app store providers should be evaluated, and additional technology should be applied to protect your users.”