HQ/EMEAFind out how we can help your business
The notorious GodFather malware has become a more widespread malicious payload after it recently included over 500 banking and cryptocurrency apps in various countries.
Researchers stated that this malware version adopts sophisticated tactics, like code implementation and restricted permissions. These new tactics allowed this malware to evolve into a more elusive and hostile version than its predecessor.
In addition, threat actors could now incorporate phishing websites to distribute the new strain. A recent incident is the false MyGov website that delivered a malicious APK file masquerading as the MyGov program. The operation targeted various users to obtain banking credentials.
The malware also uses Android’s Accessibility service to execute gestures, load injection URLs into WebView, and connect to a C2 server.
The GodFather malware has transitioned from a Java-based payload to a native code to run more malicious actions.
According to investigations, the new GodFather malware strain has switched from traditional Java to native code.
This transition has provided a new strain to execute various dangerous capabilities, such as loading an injection URL, running automatic gestures, connecting to a command-and-control server, and keylogging.
Additionally, this change to native code has made malware substantially more challenging to detect, reverse engineer, and analyse.
The researchers also noted that once GodFather finds a target app, such as a banking or crypto, it closes it and loads a fake login page to steal credentials. Subsequently, the malware closes the genuine application if an unsuspecting user attempts to engage with the target application.
Instead, it deploys a fake banking or cryptocurrency login URL into WebView or shows a blank screen to intercept the login attempt and harvest the provided credentials.
Furthermore, the new GodFather strain has increased its targeted scope to reach a wider audience and broadened its geographic reach. It has now targeted users in at least eight countries, including the UK and the US.
Cryptocurrency enthusiasts and banking app users should be more vigilant about spotting suspicious applications to avoid being victims of malware attacks like GodFather.
