A group of researchers has discovered a banking Trojan called The Godfather (which translates as Godfather), designed to allow attackers to steal users’ login credentials for banking apps and other financial services, which is said to have affected 30 Spanish companies.
Cybersecurity firm Group-IB announced that this “malware” attacked more than 400 international targets, including banking apps, cryptocurrency wallets and cryptocurrency services.
According to researchers, this Trojan will be the successor of another banking virus called Anubis, which was discarded thanks to Android updates and the efforts of malware detection and prevention providers.
The Godfather is a mobile banking Trojan that steals credentials from cryptocurrency exchanges and banking apps, first discovered in June 2021. However, Threat Fabric researchers did not announce it until March 2022. However, in June it stopped from circulating, until 2022, when it reappeared with modified WebSocket functionality.
From Grupo-IB, they insist that the developers of this other Trojan used the Anubis source code as a base and optimized it to adapt it to the latest versions of Android, adding new functionality and removing old ones.
While the Anubis source code is publicly available, the researchers added that it cannot be confirmed that both were created by the same developer or operated by the same threat group.
The Godfather’s job is to overlay web spoofs on infected devices that appear when a user interacts with a prompt notification or tries to open a legitimate application infected with this Trojan virus.
In addition, this malicious “program”, distributed via “Malware as a Service (MaaS), can collect any user data, such as names or passwords, as well as filter SMS messages and send notifications to bypass two-factor authentication.
Other functions of this “malware”, which are distributed via rogue apps hosted on Google Play, include recording the victim’s device screen, establishing VNC connections and forwarding calls, as well as executing USSD requests.
According to data collected by Group-IB, its Threat Intelligence team detected more than 400 international financial companies targeted by this “malware” on Android devices between June 2021 and October 2022.
To date, 215 international banks, 94 cryptocurrency wallets and 110 cryptocurrency exchanges have fallen victim to the Godfather. Furthermore, of all those affected by this Trojan, 49 are in the United States, 31 in Turkey and 30 in Spain.
However, the list of countries affected by the Anubis Trojan successor also includes organizations from Canada, Germany, France, United Kingdom, Italy and Poland.