Site icon TechNewsBoy.com

Hundreds of banks and crypto exchanges targeted by Android Godfather malware

Scott Marlette
Hundreds of banks and crypto exchanges targeted by Android Godfather malware

Multiple cybersecurity firms have confirmed the existence of Godfather, an Android banking malware that has been found targeting victim’s bank and cryptocurrency accounts. 

Experts at Group-IB, ThreatFabric, and Cyble have all recently reported on Godfather, its targets, and methodologies, which sees the malware attempt to steal login data by overlaying legitimate banking and cryptocurrency apps (exchanges, wallets, and similar). 

The group found that Godfather has targeted more than 400 different entities, with most of them being in the US (49), Turkey (31), Spain (30), Canada (22), France (20), Germany (19), and the UK (17). 

Multiple infection vectors

What’s more, the malware analyzes the endpoint it infected, and if it determines that the device language is either Russian, Azerbaijani, Armenian, Belarusian, Kazakh, Kyrgyz, Moldovan, Uzbek, or Tajik, it shuts the whole operation down – leading some of the researchers to believe that the threat actors are of Russian origin.

The exact number of infected devices is impossible to determine, as Play Store is not the only infection vector. In fact, the malware has had a relatively limited distribution through Google’s app repository, and the main distribution channels are yet to be discovered. What we do know, courtesy of Cyble’s research, is that one of the malicious apps has more than 10 million downloads under its belt. 

But when a victim downloads the malware, they first need to give it permissions, which is why in some instances, it imitates “Google Protect” and demands access to the Accessibility Service. If the victim provides, the malware takes over SMS texts and notifications, starts recording the screen, exfiltrates contacts and call lists, and more. 

By turning on Accessibility Service, the malware gets even harder to eliminate, too, and allows threat actors to exfiltrate Google Authentication one-time passwords, as well. 

The researchers also said that the malware has additional modules that can be added, giving it extra features such as to launch a VNC server, enable silent mode, establish a WebSocket connection, or dim the screen.

Via: BleepingComputer (opens in new tab)

For all the latest Technology News Click Here 

 For the latest news and updates, follow us on Google News

Read original article here
Denial of responsibility! TechNewsBoy.com is an automatic aggregator around the global media. All the content are available free on Internet. We have just arranged it in one platform for educational purpose only. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials on our website, please contact us by email – abuse@technewsboy.com. The content will be deleted within 24 hours.
Exit mobile version