Nobody is free from banking threats on the smartphone, especially if we are talking about the Android operating system where there are dangers lurking to steal money. Even if you get rid of many that have been attacking users in recent months, others appear and are usually always more advanced. That’s exactly what is happening with the latest malware that tries to steal account access credentials on over 400 online banking and cryptocurrency exchange sites. For this purpose, this malware creates login screens that overlap the real apps. In other words, we end up introducing our bank access data in sites that are in no way related to the bank. However, there is a way to be protected.
Android: There’s a new way to steal money!
The Godfather trojan was discovered by analysts at Group-IB, who believe it is the successor to Anubis, a widely used banking trojan. However, it has fallen out of favor due to its inability to bypass Android’s new defenses.
However the ThreatFabric discovered “Padrinho” for the first time in March 2021, but this system turns out to be something new. This is because it has undergone major updates and code improvements since then.
Ways to keep people going are many and varied including through music apps.
Group-IB found limited distribution of the malware in apps on the Google Play Store. However, the main distribution channels have not been discovered, so the initial infection method is largely unknown.
Almost half of all apps targeted by this threat are banking apps. However, they are present in several countries around the world. Examples of this are the United States, Turkey, Spain, Canada, France, Germany, the United Kingdom and Portugal.
In addition to banking apps, Padrinho targets 110 cryptocurrency exchange platforms and 94 wallet apps.
Interestingly, the trojan is configured to check the system language, and if it is set to Russian or similar, it stops its operation.
This is a strong indication that the authors of the Godfather are Russian-speaking.
A threat that tricks users well
Once installed on the device, Godfather mimics ‘Google Protect’, a security tool found on all Android devices. The malware even goes so far as to emulate an analysis action on the device as referred to by the Bleeping Computer website.
The purpose of this check is to request access to the Accessibility Service from what appears to be a legitimate tool. Once the victim approves the request, the malware can enable all the necessary permissions to perform malicious behavior.
This includes accessing texts and SMS notifications, recording screen, contacts, making calls, recording to external storage and reading device status.
But there’s more. This threat even manages to access the unique codes that we receive when we want to carry out certain operations.
how to be protected
According to Group-IB, always check that you are running the latest version of Android on your smartphone. The more recent the Android version you are running, the less likely you are to be infected with a banking Trojan.
However, you should also not sideload and install apps from third-party Android stores. In addition, check the permissions that each application is requesting. If the permissions requested by a particular app seem inappropriate, you might not want to install it. Also, do not click on links sent in text messages.
If for some reason your smartphone is already infected, you must follow at least three steps.
First, disable network access. Then freeze all bank accounts that may have been accessed by third parties. However, contact experts to receive detailed information about the risks that malware can pose to your device.
