Hundreds of banks and crypto exchanges targeted by Android Godfather malware

An abstract image of digital security.
(Image credit: Shutterstock) (Image credit: Shutterstock)

Multiple cybersecurity firms have confirmed the existence of Godfather, an Android banking malware that has been found targeting victim's bank and cryptocurrency accounts. 

Experts at Group-IB, ThreatFabric, and Cyble have all recently reported on Godfather, its targets, and methodologies, which sees the malware attempt to steal login data by overlaying legitimate banking and cryptocurrency apps (exchanges, wallets, and similar). 

The group found that Godfather has targeted more than 400 different entities, with most of them being in the US (49), Turkey (31), Spain (30), Canada (22), France (20), Germany (19), and the UK (17). 

Multiple infection vectors

What’s more, the malware analyzes the endpoint it infected, and if it determines that the device language is either Russian, Azerbaijani, Armenian, Belarusian, Kazakh, Kyrgyz, Moldovan, Uzbek, or Tajik, it shuts the whole operation down - leading some of the researchers to believe that the threat actors are of Russian origin.

The exact number of infected devices is impossible to determine, as Play Store is not the only infection vector. In fact, the malware has had a relatively limited distribution through Google’s app repository, and the main distribution channels are yet to be discovered. What we do know, courtesy of Cyble’s research, is that one of the malicious apps has more than 10 million downloads under its belt. 

But when a victim downloads the malware, they first need to give it permissions, which is why in some instances, it imitates “Google Protect” and demands access to the Accessibility Service. If the victim provides, the malware takes over SMS texts and notifications, starts recording the screen, exfiltrates contacts and call lists, and more. 

By turning on Accessibility Service, the malware gets even harder to eliminate, too, and allows threat actors to exfiltrate Google Authentication one-time passwords, as well. 

The researchers also said that the malware has additional modules that can be added, giving it extra features such as to launch a VNC server, enable silent mode, establish a WebSocket connection, or dim the screen.

Via: BleepingComputer

TOPICS

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
Malware worm
Coordinated global mobile malware campaign targets banking apps and cryptocurrency platforms
Android phone malware
Screen reading malware found in iOS app stores for first time - and it might steal your cryptocurrency
Spyware
Government-linked Italian spyware maker caught distributing malicious Android apps
mobile phone
Popular Android financial help app is actually dangerous malware
Android phone malware
This nasty Android malware is posing as the Telegram Premium app
An Android phone being held in the hand
These malicious Android apps were installed over 60 million times - here's how to stay safe
Latest in Security
Representational image depecting cybersecurity protection
Third-party security issues could be the biggest threat facing your business
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Broadcom warns of worrying security flaws affecting VMware tools
Android Logo
Devious new Android malware uses a Microsoft tool to avoid being spotted
URL phishing
HaveIBeenPwned owner suffers phishing attack that stole his Mailchimp mailing list
Ransomware
Cl0p resurgence drives ransomware attacks to new highs in 2025
Google Chrome
Google Chrome security flaw could have let hackers spy on all your online habits
Latest in News
EA Sports F1 25 promotional image featuring drivers Oscar Piastri, Carlos Sainz and Oliver Bearman.
F1 25 has been officially announced, with this year's entry marking a return for Braking Point and a 'significant overhaul' for My Team mode
Garmin clippd integration
Garmin's golf watches just got a big software integration upgrade to help you improve your game
Robert Downey Jr reveals himself as Doctor Doom to a delighted crowd at San Diego Comic-Con 2024
Marvel is currently making a major announcement about Avengers: Doomsday's cast on YouTube, and I think it's going to be a long-winded reveal
Samsung QN90F on yellow background
Samsung announces US prices for its 2025 mini-LED TV lineup, and it’s good and bad news
Nintendo Switch Lite
Forget the Nintendo Switch 2, the original Switch is getting one last hurrah in a surprise Nintendo Direct tomorrow
The Samsung Galaxy S25 Edge on display the January 22, 2025 Galaxy Unpacked event.
Samsung Galaxy S25 Edge colors seemingly revealed in new video, and there’s another sign of an imminent launch