A banking threat for Android systems called “Godfather” or “Padrinho” has already claimed victims in 16 countries, including Portugal. In practice, it tries to steal account access credentials on more than 400 online banking and cryptocurrency exchange sites. For this purpose, this malware creates login screens that overlap the real apps. In other words, we end up introducing our bank access data in sites that are in no way related to the bank.
Padrinho: the new threat for Android strikes in Portugal!
The Godfather trojan was discovered by analysts at Group-IB, who believe it is the successor to Anubis, a widely used banking trojan. However, it has fallen out of favor due to its inability to bypass Android’s new defenses.
However the ThreatFabric discovered “Padrinho” for the first time in March 2021, but this system turns out to be something new. This is because it has undergone major updates and code improvements since then.
Ways to keep people going are many and varied including through music apps.
Group-IB found limited distribution of the malware in apps on the Google Play Store. However, the main distribution channels have not been discovered, so the initial infection method is largely unknown.
Almost half of all apps targeted by this threat are banking apps. However, they are present in several countries around the world. Examples of this are the United States, Turkey, Spain, Canada, France, Germany, the United Kingdom and Portugal.
In addition to banking apps, Padrinho targets 110 cryptocurrency exchange platforms and 94 wallet apps.
Interestingly, the trojan is configured to check the system language, and if it is set to Russian or similar, it stops its operation.
This is a strong indication that the authors of the Godfather are Russian-speaking.
Once installed on the device, Godfather mimics ‘Google Protect’, a security tool found on all Android devices. The malware even goes so far as to emulate an analysis action on the device as referred to by the Bleeping Computer website.
The purpose of this check is to request access to the Accessibility Service from what appears to be a legitimate tool. Once the victim approves the request, the malware can enable all the necessary permissions to perform malicious behavior.
This includes accessing texts and SMS notifications, recording screen, contacts, making calls, recording to external storage and reading device status.
But there’s more. This threat even manages to access the unique codes that we receive when we want to carry out certain operations.
However, to protect against this threat, only download apps from Google Play. However keep your device up to date, use an AV tool, make sure Play Protect is enabled and keep the number of installed apps within acceptable values.