View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
December 21, 2022

Godfather banking trojan targets fintech apps and cryptocurrency exchanges

It allows cybercriminals to make app users an offer they can't refuse – and won't even know about.

By Claudia Glover

UK financial institutions are among 400 victims of a banking trojan known as the Godfather, new research has revealed. The victims have all been targeted over the last three months and comprise banking apps and cryptocurrency wallets and exchanges.

A banking trojan called the Godfather is targeting financial institutions across the globe. (Picture courtesy of Usa-Pyon/Shutterstock)

The Godfather is designed to allow hackers to harvest login credentials for online banking and other financial services so they can drain the accounts of victims. It has been in widespread use since October, says a report from security vendor Group-IB.

Godfather banking trojan targets victims globally

The victims of the new banking trojan are spread across the globe. 17 of those targeted are in the UK, 49 are in the United States, 31 were found in Turkey and 30 in Spain. The rest of the victims are in Canada, France, Germany, Italy and Poland, according to the Group-IB report.

Former soviet countries have been so far absent in the list of victims of the Godfather, through a line in the code. “If the potential victim’s system preferences include one of the languages in that region, the Trojan shuts down,” reads the report. This is a popular technique of Russian ransomware gangs who wish to only target citizens of Western countries, indicating the creators of the trojan may be Russian.

How does the Godfather work?

The Godfather banking trojan is hidden in mobile applications on the Google Play Store. The payload is spoofed so that the malicious code looks like Google Protect, the service that checks apps for potentially harmful behaviours. “After a user launches the malware it emulates the legitimate Google application," Group-IB's researchers said. "An animation shows Google Protect ‘activity’ but the ‘scanner’ does not actually do anything."

The scanning animation is displayed for 30 seconds, after which a message appears saying no malicious applications were found. The Godfather then issues itself with the necessary permissions and starts communicating with the command and control server, a computer controlled by an attacker or cybercriminal which is used to send commands to systems compromised by malware, to receive stolen data from a target network. 

The victim uses their phone as normal but starts to run into difficulties when they make a payment or enter financial details. “The user eventually discovers that the money from their account is gone. They might try to withdraw the permissions or delete the application, but the settings will keep collapsing and the device will keep returning to the home screen,” the report says. 

Content from our partners
DTX Manchester welcomes leading tech talent from across the region and beyond
The hidden complexities of deploying AI in your business
When it comes to AI, remember not every problem is a nail

Some of these techniques, tactics and procedures bear more than a passing resemblance to an older banking trojan called Anubis. According to the report, the Godfather's developers used Anubis source code as a basis and modernised it for newer versions of Android, adding relevant features and removing others, such as file encryption, recording audio and receiving GPS information.

In its place, the Godfather has a host of new capabilities. These include recording the screen of the victim’s device, launching keyloggers (keyboard stroke recording programmes), bypassing multi factor authentication by exfiltrating push notifications and forwarding calls, and sending SMS messages from infected devices, among others. 

The similarities between the Godfather and Anubis showcase the growing skill of the cybercriminals, says Artem Grischenko, junior malware analyst at Group-IB: “The emergence of the Godfather underscores the ability of the threat actors to edit and update their tools to maintain their effectiveness in spite of efforts by malware detection and prevention providers to update their products," he says. "Malicious actors can return to the source code, update out of date malware types and in many ways make them even more dangerous. 

“With a tool like the Godfather, threat actors are limited only by their abilities to create convincing web fakes for a particular application."

Read more: Developers 'ignoring best practice' on mobile app security

Topics in this article :
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.