Godfather Android Malware Stealing Login Credentials of Over 400 Bank Users

At present, Android users have been experiencing an elevate within the incidence of the GodFather banking trojan, mainly concentrated on European users.

This GodFather android malware was as soon as chanced on in March 2022 and was as soon as described as among the infamous trojans by Cyble Analysis & Intelligence Labs (CRIL) actively concentrated on Android financial institution users all the diagram via the sector.

There have been diverse samples of GodFather Android apps chanced on recently that masquerade as MYT beneficial properties. MYT Müzik is the name of the applying, which is written in Turkish.

Technical Diagnosis of Android Malware

Therefore, it appears that this application is targeted at Android users in Turkey who exercise Android devices. To evade detection by the anti-virus merchandise, the samples analyzed for GodFather had been encoded using custom-made and complex encryption tactics.

Analysts had been able to detect that this application had been put in in a model same to 1 other decent application, and this app disguised itself as MYT Music. There have been better than 10 million downloads of this app from the Google Play Store which is hosted on Google’s servers.

After it has been efficiently put in on the victim’s tool, the GodFather Android malware achieves the flexibility to snatch the next sensitive files and accept as true with illicit actions:-

• SMSs
• Frequent tool cramped print
• Place in apps files
• Tool’s phone quantity
• Manipulate the tool screen screen by utilizing the A ways off Desktop
• Forward incoming calls from a victim’s tool
• Inject banking links into the tool’s browser

Here below we have talked about the APK metadata:-

• App Name: MYT Müzik
• Equipment Name: com.expressvpn.vpn
• SHA256 Hash: 138551cd967622832f8a816ea1697a5d08ee66c379d32d8a6bd7fca9fdeaecc4

Permissions Requested

There are 23 somewhat about a permissions that the malware requests from the user, and no much less than six of those permissions are abused by the malware.

Here is an inventory of those unhealthy permissions:-

• READ_CONTACTS: Secure admission to phone contacts
• READ_PHONE_STATE: Permits entry to phone hiss, collectively with essentially the most up-to-date cell network files, the phone quantity and the serial preference of the phone, the recognition of any ongoing calls, and an inventory of any Phone Accounts registered on the tool.
• CALL_PHONE: Permits an application to provoke a phone call with out going via the Dialer user interface for the user to substantiate the resolution.
• WRITE_EXTERNAL_STORAGE: Permits the app to jot down or delete files within the tool’s exterior storage
• DISABLE_KEYGUARD: Permits the app to disable the keylock and any linked password security
• BIND_ACCESSIBILITY_SERVICE: Historical for Accessibility Service

The exercise of the code below, the malicious application hides and unhides the icon of the program from the expose of the tool.

As shortly because it receives sunset_cmd from the C&C server of the risk actors, the malware injects HTML phishing pages, and then within the OnAccessibilityEvent approach, it constructs an overlay window.

It is from this telegram channel that the malicious application will get the URL of the C&C server:-

• hxxps://t[.]me/varezotukomirza

It makes exercise of this channel in expose to discuss with the TAs so as that it might maybe maybe receive instructions and send the stolen files from the tool via this channel.

Commands used by the Malware

In expose to snatch sensitive files from the users’ devices, the malware makes exercise of the below instructions:-

• startUSSD
• sentSMS
• startApp
• startforward
• killbot
• send_all_permission
• vnc_open
• keylog_active
• unlock_screen
• sunset
• startscreen

Suggestions

Here below we have talked about all of the recommendations:-

• The becoming legit app stores would maybe presumably also merely serene be used for the download and set up of tool.
• Make certain every one of your linked devices are protected by a glorious anti-virus and net security program.
• At any time when doable, create sure that stable passwords are used and that multi-factor authentication is enforced.
• Make certain the biometric security facets are enabled.
• While you happen to receive any links through SMS or electronic mail that are delivered to your phone, create sure that you construct no longer delivery them with out validating their authenticity.
• In case your Android tool is protected by Google Play Offer protection to, create sure that that it’s enabled.
• At any time whereas you enable any permission, create sure you construct so with warning.
• Make certain the running system, beneficial properties, and devices in your computer are up-to-date.
• Make certain that beneficial properties put in on cell devices are in compliance with the amount of cell/Wi-Fi files they exercise on a conventional basis.
• Make certain that you discontinue on top of anti-virus notifications and Android OS signals and rob acceptable action when wished.
• Make certain that the Wi-Fi/Mobile files is changed into off when they’re no longer in exercise.
• You might maybe presumably also merely serene create a backup of all of the media files that you have.
• You might maybe presumably also merely serene document any false transactions as shortly as doable to your financial institution in case there is a hiss of affairs.
• In expose to prevent malware assaults someday, banks and other financial institutions must educate their customers on suggestions to offer protection to themselves through phone, SMS, or electronic mail.