Guards up! The "GodFather" is hunting for your money

The “Godfather” malware warnings continue to circulate on the Internet. The German Federal Financial Supervisory Authority warned users of the potential risk on January 9.

The Godfather is a brand-new malware program that disguises itself as settings and antivirus software. It was revealed for the first time at the end of 2021. Since then, warnings about potential attacks have appeared on the Internet on a regular basis.

Representatives of Group-IB, a leading developer of cybersecurity solutions, describe the Godfather as an Android banking Trojan and a  successor of the infamous Anubis Trojan. The activity of the latter has significantly decreased due to the inability to overcome the improved OS protection mechanisms.

The Godfather had targeted more than 400 banking, cryptocurrency exchange, and digital wallet applications across at least 16 countries.

It is currently unclear how the Godfather gains access to the devices. Group-IB claims that downloading apps from the Google Play Store spreads a banking Trojan. MYT Müzik, a Turkish app with over 10 million downloads, is among the suspects. 

How does the GodFather function?

"Main malware capabilities include remote actions, overlay attacks, keylogging, screen captures, SMS/Call/Application monitoring and blocking," cybersecurity experts at ThreatFabric wrote.

The software exposes users to phony versions of their usual banking or cryptocurrency application websites. If victims, unaware of the trick, enter personal information to access their personal accounts, confidential information is transferred to cybercriminals.

The Godfather also sends push notifications to receive two-factor authentication codes. Attackers can easily access user accounts and wallets once they get the desired code.

An interesting fact is that the Godfather activation is based on the language that has been installed on the device. The malware will not be activated if the user selects Russian, Belarusian, Kazakh, Moldovan, Armenian, Azerbaijani, Kyrgyz, Tajik, or Uzbek in the default settings. This allows Group-IB to assume that the creators of the Trojan live in CIS countries.

The German Federal Financial Supervisory Authority has once again emphasized the importance of using mobile applications responsibly and carefully. Users in Germany and other countries can find detailed recommendations in a special video created by Federal Office for Information Security specialists. The video is available on its official YouTube channel.