The Play Store is once again home to dangerous malware! Called The Godfather, this Trojan targets financial institutions by imitating legitimate apps and security tools, including Google Play Protect.

The Play Store is once again home to dangerous malware

The Play Store is once again home to dangerous malware! Called The Godfather, this Trojan targets financial institutions by imitating legitimate apps and security tools, including Google Play Protect.

Once again, the Play Store is home to dangerous malware. Baptized Godfather (The Godfather, in French), it is an extremely virulent Trojan horse whose secrets are far from having been completely solved. It was discovered by analysts of the Group-IB and the American security specialist Cyble. The Godfather is based on an old horse of Three Anubis, now obsolete following updates deployed by Google. Indeed, there are many similarities between the two malwares, Anubis sucking up all the data from the infected device, including the geolocation or the IMEI number (a unique identification number), and requesting access to certain functions, such as camera and microphone. Bad luck, The Godfather has new tricks that allow him to bypass the last defenses of Google. First appearing in June 2021, it was rather discreet, before reappearing in force in September 2022. It has already targeted 419 financial services since its appearance, even if the reports do not specify the names of the establishments affected.

The Godfather: a Trojan horse that targets banking applications

The Godfather has fun stealing the bank details of his victims. The malware has already attacked 215 international banking apps, 94 cryptocurrency wallets and 110 cryptocurrency exchanges. They are located mainly in the United States (49), Turkey (31) and Spain (30), but also in the United Kingdom, Italy, Germany and France. Interesting fact: it checks the language in which the smartphone is set before launching the infection, and does not launch if it is Russian, Azerbaijani, Armenian, Belarusian, Kazakh, Kyrgyz, Moldovan, Uzbek and Tajik explains IB-Group, which suggests that he is from one of these countries.

The Godfather works in a simple but effective way, which makes it particularly dangerous, especially since it is very difficult to detect it. To trick its victims, it pretends to be Google Play Protect, the security service that analyzes all installed applications and is therefore present on all Android smartphones, going so far as to imitate the fingerprint scanner. He takes the opportunity to claim a whole series of permissions that will allow him to perform malicious actions on the infected device. Worse still, once installed, it is impossible to remove the malware.

The Godfather: malware with multiple strings to its bow

Once properly installed, The Godfather grabs SMS, notifications, contacts, call history and data stored on internal memory. But, most importantly, it captures device screenshots, launches a keylogger, sends text messages and even forwards calls thanks to establishing VNC and WebSocket connections – a small addition to the September 2022 release. So many techniques that allow “to steal data entered by the user in legitimate applications”, warns the Group-IB, and thus collect login credentials, including bypassing two-factor authentication. For example, in Turkey, The Godfather impersonated a music app that has been downloaded over 10 million times – it has since been banned from the Play Store.

If, as often, the Trojan can arrive on a mobile thanks to a fraudulent application installed via the Play Store, Group-IB emphasizes that this method is only “one of the ways the malware is distributed”, and not all of them have yet been discovered. It is only known that hackers deploy it on alternative stores or directly on the Internet, through advertisements. That is why it is recommended to only download apps from trusted sources, from known developers, not to follow suspicious links sent by message, to limit the number of apps installed on your phone to the essentials and to uninstall them as soon as they are no longer needed.

ccn5