Wednesday, December 21, 2022

Hundreds of banks and crypto exchanges targeted by Android Godfather malware

Multiple cybersecurity firms have confirmed the existence of Godfather, an Android banking malware that has been found targeting victim's bank and cryptocurrency accounts. 

Experts at Group-IB, ThreatFabric, and Cyble have all recently reported on Godfather, its targets, and methodologies, which sees the malware attempt to steal login data by overlaying legitimate banking and cryptocurrency apps (exchanges, wallets, and similar). 

The group found that Godfather has targeted more than 400 different entities, with most of them being in the US (49), Turkey (31), Spain (30), Canada (22), France (20), Germany (19), and the UK (17). 

Multiple infection vectors

What’s more, the malware analyzes the endpoint it infected, and if it determines that the device language is either Russian, Azerbaijani, Armenian, Belarusian, Kazakh, Kyrgyz, Moldovan, Uzbek, or Tajik, it shuts the whole operation down - leading some of the researchers to believe that the threat actors are of Russian origin.

The exact number of infected devices is impossible to determine, as Play Store is not the only infection vector. In fact, the malware has had a relatively limited distribution through Google’s app repository, and the main distribution channels are yet to be discovered. What we do know, courtesy of Cyble’s research, is that one of the malicious apps has more than 10 million downloads under its belt. 

But when a victim downloads the malware, they first need to give it permissions, which is why in some instances, it imitates “Google Protect” and demands access to the Accessibility Service. If the victim provides, the malware takes over SMS texts and notifications, starts recording the screen, exfiltrates contacts and call lists, and more. 

Read more

> Beware, this new Android banking malware could hijack your phone

 > These fake Android antivirus apps install a dangerous banking trojan

 > These are the best ID theft protection solutions around

By turning on Accessibility Service, the malware gets even harder to eliminate, too, and allows threat actors to exfiltrate Google Authentication one-time passwords, as well. 

The researchers also said that the malware has additional modules that can be added, giving it extra features such as to launch a VNC server, enable silent mode, establish a WebSocket connection, or dim the screen.

Via: BleepingComputer



from TechRadar - All the latest technology news https://ift.tt/2YL1WwU
at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Forget about Wi-Fi, your own private 5G network could be the answer to your connection woes — here's how to set one up for much cheaper than you think

Private 5G networks, where individuals or companies set up their own cellular connections, could potentially provide a viable alternative t...