UK financial institutions are among 400 victims of a banking trojan known as the Godfather, new research has revealed. The victims have all been targeted over the last three months and comprise banking apps and cryptocurrency wallets and exchanges.
The Godfather is designed to allow hackers to harvest login credentials for online banking and other financial services so they can drain the accounts of victims. It has been in widespread use since October, says a report from security vendor Group-IB.
Godfather banking trojan targets victims globally
The victims of the new banking trojan are spread across the globe. 17 of those targeted are in the UK, 49 are in the United States, 31 were found in Turkey and 30 in Spain. The rest of the victims are in Canada, France, Germany, Italy and Poland, according to the Group-IB report.
Former soviet countries have been so far absent in the list of victims of the Godfather, through a line in the code. “If the potential victim’s system preferences include one of the languages in that region, the Trojan shuts down,” reads the report. This is a popular technique of Russian ransomware gangs who wish to only target citizens of Western countries, indicating the creators of the trojan may be Russian.
How does the Godfather work?
The Godfather banking trojan is hidden in mobile applications on the Google Play Store. The payload is spoofed so that the malicious code looks like Google Protect, the service that checks apps for potentially harmful behaviours. “After a user launches the malware it emulates the legitimate Google application," Group-IB's researchers said. "An animation shows Google Protect ‘activity’ but the ‘scanner’ does not actually do anything."
The scanning animation is displayed for 30 seconds, after which a message appears saying no malicious applications were found. The Godfather then issues itself with the necessary permissions and starts communicating with the command and control server, a computer controlled by an attacker or cybercriminal which is used to send commands to systems compromised by malware, to receive stolen data from a target network.
The victim uses their phone as normal but starts to run into difficulties when they make a payment or enter financial details. “The user eventually discovers that the money from their account is gone. They might try to withdraw the permissions or delete the application, but the settings will keep collapsing and the device will keep returning to the home screen,” the report says.
Some of these techniques, tactics and procedures bear more than a passing resemblance to an older banking trojan called Anubis. According to the report, the Godfather's developers used Anubis source code as a basis and modernised it for newer versions of Android, adding relevant features and removing others, such as file encryption, recording audio and receiving GPS information.
In its place, the Godfather has a host of new capabilities. These include recording the screen of the victim’s device, launching keyloggers (keyboard stroke recording programmes), bypassing multi factor authentication by exfiltrating push notifications and forwarding calls, and sending SMS messages from infected devices, among others.
The similarities between the Godfather and Anubis showcase the growing skill of the cybercriminals, says Artem Grischenko, junior malware analyst at Group-IB: “The emergence of the Godfather underscores the ability of the threat actors to edit and update their tools to maintain their effectiveness in spite of efforts by malware detection and prevention providers to update their products," he says. "Malicious actors can return to the source code, update out of date malware types and in many ways make them even more dangerous.
“With a tool like the Godfather, threat actors are limited only by their abilities to create convincing web fakes for a particular application."