The Godfather is real – It’s a banking trojan that targets users of more than 400 apps

Source – Shutterstock

The Godfather banking trojan is making an offer victims cant refuse

  • The Godfather trojan can record login credentials, credit card numbers, and other private information and send it back to the attackers
  • Hackers are now using the Godfather Android banking trojan to attack users of top banking and cryptocurrency exchange applications in 16 countries

“I’m gonna make him an offer he can’t refuse,” is probably the most iconic line from The Godfather. While the movie may not be based on a real mafia family, the reality is, there is now a real Godfather online—a banking trojan, to be exact. In fact, hackers using the trojan may just end up making an offer their victims cant refuse once they’ve been hit by it.

The Godfather banking trojan is malicious software designed to steal confidential financial information from victims’ computers. It often spreads through phishing emails or downloaded in conjunction with other programs. Once it has been installed on a victim’s machine, the Godfather trojan can record login credentials, credit card numbers, and other private information and send it back to the attackers.

According to the latest report by Group-IB, the Godfather Android banking trojan is now being used by hackers to attack users of top banking and cryptocurrency exchange applications in 16 countries.

The malware has so far targeted the users of more than 400 applications due to Godfather’s ability to create convincing online impersonations and display them on infected devices when a user attempts to launch a targeted application. With this approach, threat actors using Godfather try to acquire the victim’s login information and get around two-factor authentication to access their accounts and steal their money. According to Group-IB’s Threat Intelligence team, during their research into this new Android trojan, Godfather is a replacement for Anubis, a famous banking trojan whose functionality was constrained by Android updates and prior efforts of malware detection and prevention companies.

It’s just business for the Godfather banking trojan

As of October 2022, Godfather has targeted 215 banks, 94 crypto wallet providers, and 110 crypto exchange sites. Users in more than a dozen countries have been in danger of having their credentials stolen by threat actors using Godfather, demonstrating the trojan’s use in various marketplaces. According to Group-IB’s findings, this specific trojan has primarily targeted banking applications in the United States (49 companies), Turkey (31), Spain (30), Canada (22), France (20), Germany (19), and the United Kingdom (17). The following provides a detailed breakdown of Godfather’s scope:

The Godfather is real – It’s a banking trojan that targets users of more than 400 apps

Who and where Godfather targets. (Source – Group-IB)

The Godfather in action

One of its distinguishing features is the ability to be distributed using a Malware-as-a-Service (MaaS) architecture. This discovery was made possible thanks to the Group-IB Threat Intelligence solution’s real-time Telegram monitoring capabilities. In addition, Group-IB analysts discovered that Godfather command and control (C&C) addresses were distributed via Telegram channel descriptions, just like Anubis.

The Godfather is real – It’s a banking trojan that targets users of more than 400 apps

A Telegram user asking for a review of the Godfather banking Trojan. (Source – Group-IB)

Once Godfather has been downloaded into a device, the malware tries to remain persistent by pretending to be Google Protect. This legitimate program launches when a user installs an app from the Play Store. The malware can mimic the official Google application and tell the user that it is “scanning” the computer. However, the malware is not acting in this way. Instead, it makes a “Google Protect” notification pinned to the top of the screen and removes its icon from the list of installed apps.

The user continues their usual activities while unaware that malware has been installed on their device. That’s when the Godfather assumes its position. The Godfather uses one of its defining features, web fakes, also known as HTML pages made by threat actors that overlay legitimate applications. Web fakes imitate the legitimate programs’ login pages, and all information entered there, including usernames and passwords, is transmitted to C&C servers.

The Godfather is real – It’s a banking trojan that targets users of more than 400 apps

HTML fakes contained in Godfather imitating targeted Turkish companies. (Source – Group-IB)

APAC isn’t affected, but it’s no time to be relieved

The Godfather banking Trojan has been known to affect victims in various regions worldwide. Indeed, the APAC region is among the most vulnerable to cyberattacks, including trojans that steal money, like the Godfather. People and organizations in the APAC region, as well as those in other regions, need to be aware of the threat posed by the Godfather Trojan and take precautions to protect themselves against it.

Group-IB’s Threat Intelligence team advises users to avoid downloading applications from sources other than the Google Play Store, make sure they are downloading the legitimate, verified application from these sources, and check what permissions an application requests once they have downloaded it in order to reduce the risk of downloading banking Trojans like Godfather.