Mobile phone Trojan “Godfather” is targeting online banking apps

Android
Mobile phone Trojan “Godfather” hunts down online banking apps – and has it in for your accounts

When banking apps are affected by Trojans, the shock runs deep. (icon picture)

© Povozniuk / Getty Images

The Federal Financial Supervisory Authority (Bafin) warns of a new Trojan – this is said to be primarily aimed at login data for bank accounts and crypto apps.

The Federal Financial Supervisory Authority (Bafin) warns of the malware “Godfather”. This is to record inputs from well-known banking and crypto apps and then transmit them to criminals. The software is also able to send deceptively real notifications that usually serve to release transfers and logins. This, according to the warning, would give attackers access to the accounts or wallets of affected persons.

400 banking and crypto apps affected

The Bafin says that “Godfather” is currently focusing on around 400 well-known banking and crypto apps, including popular programs from Germany. It is currently not clear how “Godfather” is spreading and which sources are to be avoided.

Once installed, the malware aims to display fake websites of banks and crypto exchanges. As soon as you log in there, the Trojan is said to forward the entries to third parties.

Following its warning, Bafin only gives general tips on how to protect yourself from attacks on mobile devices in general, but does not go into more detail about “Godfather” and any sources of supply.

The IT trade magazine “Bleeding computer” makes it clear that apparently only users of Android smartphones are affected. As an example, the report cites a manipulated music app called “MYT Müzik”, the actual version of which has been downloaded more than ten million times from the Google Play Store and thus probably often searched for.

Android accessibility services serve as a gateway

“Godfather” was discovered by the “Group IB“, which published a major report on the Trojan at the end of December. According to this, “Godfather” is active in 16 countries, but stops all functions as soon as it is recognized that the victim speaks Russian and has set a corresponding system language is a well-known pattern that ransomware extortionists also act on.

As for how it works, the experts found evidence that the Trojan exploits a Google service called Protect. Actually, Google Play Protect performs a security check before downloading apps from the Google Play Store. “Godfather” simulates its function and imitates such a check. The software asks for access to Android’s Accessibility Services.

If the release is given, the system gives the Trojan permission to change apps in the interests of accessibility – but uses this to access data through fake websites and deceive users. The experts of “Security Research Labs“Warned at the end of 2021 that malware on Android devices would prefer to exploit this route.

source site-5