Godfather Malware Targets Crypto Users In Over A Dozen Countries

Malware, especially on mobile devices, can be incredibly problematic for consumers. The Godfather Trojan, a malware strain targeting Android devices, is one such nasty element. It targets crypto and banking applications, which can have widespread consequences.

Beware Of The Godfather Trojan

It is no secret criminals want to defraud mobile users. Whether they use cryptocurrencies or traditional banking apps, they will eventually be a target. The Godfather Android Trojan illustrates that approach well. It is a problematic malware strain targeting hundreds of Android applications. So far, the malware is active in over a dozen countries, although that list will likely expand. 

It is too early to gauge whether Godfather will be successful. However, the code creates convincing fake websites and iterations of applications. Those are layered on top of existing applications, tricking users into thinking their device works fine. However, criminals can obtain login details and steal funds. Users should always introduce additional protection, such as 2FA through a different device. 

The malware has been in circulation for a while. Godfather has targeted over 200 banks and dozens of crypto wallet providers. In addition, the malware goes after crypto exchanges, primarily in the US, UK, Canada, and Turkey. No one is safe from this malware if they use an Android device. Interestingly, the code stops working on devices belonging to Russian-speaking people. Other Slavic languages may prevent the app from causing harm as well. 

That doesn’t mean the people behind Godfather are from Russia or the former Soviet Union, though. It is likely they want to avoid retaliation by not targeting devices in those countries. More research will be needed to shed some light on this aspect. What we do know is that Godfather is an upgrade from Anubis, another banking Trojan that had its code leaked in 2019. Although that threat has been dormant since then, it has now come back. 

The Distribution Vector Remains Unclear

Although Godfather has been on security researchers’ radar for some time, the new version causes concern. Moreover, there are many questions as to how criminals distribute the payload. Traditional methods include packing it with another Android app, phishing, etc. So far, a malicious Android application in the Google Play Store seems the most likely candidate. Which application that may be is anyone’s guess. 

One of the applications in Godfather’s “network” is Currency Converter Plus. It has over 500 downloads and a 4.7 Google Play Store rating. It is one of many possible distribution avenues. Once installed, the Godfather Trojan will try to mimic Google Protect and emulates it. In addition, the Trojan gives itself the required permissions to communicate through a command&control server.