In the last few months of 2022, a new malware attack on Android smartphones: "Godfather. Identified by Group-IB, the virus was programmed to steal the credentials of more than 400 banking and financial applications, including 20 French banks. To achieve its goals, the malware impersonated Play Protect. It then displayed fake login pages superimposed on the screen. It was through these fake pages that the virus extracted its victims' personal data. This is a very common tactic among malware designed to carry out phishing attacks.
Less than three years later, Godfather is making a comeback in the form of a new variant. Uncovered by zLabs, the Zimperium research team, this "sophisticated evolution" is distinguished by a more original and complex modus operandi. As the researchers explain, the new Godfather relies on a "more deceptive and effective form of attack."
How does Godfather steal your data?
To spread the virus, hackers slip the malicious payload into the code of an app's APK file. Once it has managed to penetrate its victims' smartphones, Godfather will list all installed apps. It will particularly focus on apps related to banking or financial services.
The malware then places the apps in question in its virtualization framework. This is a tool that allows you tocreate an isolated environment on the smartphone. This feature will actually launch a copy of the operating system capable of running applications. The fake environment will then download and run "a copy of the real banking application". In fact, "when the user launches their application, they are unwittingly redirected to this virtualized version, where every action, entry, and interaction is monitored and controlled remotely." The virus doesn't just "simulate a login interface, it creates an isolated virtual environment." Instead "of simply imitating a login screen, the malware installs a booby-trapped host application equipped with a virtualization system," the researchers' report emphasizes.
It is through this virtual environment, under the hackers' control, that the virus obtains victims' data. The malware will "capture logins, passwords, PINs, and phone lock patterns in real time." Of course, the entire process is invisible. The operating system is unaware of anything, and neither is the user. This strategy allows cybercriminals to operate without alerting Android's security mechanisms, and "intercept credentials and sensitive data in real time.".
Once the data is in its possession, the virus will use it to penetrate the real banking application. While the malware penetrates the application to make fraudulent transfers, the user will see a black screen with a message like "update in progress". This virtualization technique "erodes the fundamental trust between a user and their mobile applications," according to the experts who discovered the malware.
500 Android apps targeted by the malware
According to investigations conducted by zLabs, Godfather is designed to hack 500 different Android applications, primarily banking apps. Payment services, messaging apps, and e-commerce platforms are also among the malware's preferred targets. The campaign extends "across Europe, with major banks in Germany, Spain, France, and Italy" among the targets.
Godfather is designed to deceive users of 100 different cryptocurrency apps. Cryptocurrency exchanges and wallets are in the cybercriminals' crosshairs. While the virus can attack apps from all over the world, it is currently focused on 12 banking apps popular in Turkey. Expect to see more banking and financial institutions in the Godfather's sights in the near future.
zLabs recommends not downloading Android apps from outside the Play Store, enabling Google Play Protect on your phone, and keeping an eye on the permissions requested by Android apps. Malicious apps often ask for a bunch of permissions for no reason.
Source: Zimperium
0 Comments