Godfather virus massively attacks Android users

A new threat called Godfather has appeared on the network. This is a Trojan aimed at Android smartphone users. It steals data, takes screenshots and disguises itself as the official Google serviceGroup-IB portal analysts have recorded a surge in the number of cases of user data theft through the Godfather Trojan. This malware masquerades as Google services and third-party apps to download information to access banking platforms and crypto exchanges. This threat first appeared in June 2021. But the Trojans became widespread in early 2022. Analysts believe that this is a MaaS (malicious software as a service) threat. Scope of GodfatherAttacks by this Trojan have been recorded in 16 countries. For the most part, these are the USA (49 precedents), Turkey (31) and Spain (30): 419 companies were hit, of which 25.7% are crypto exchanges, another 22.2% are custody services, including wallet operators . It is noteworthy that the Trojan reacts to the language of the device system. If the user has Russian, Belarusian, Abkhazian, Kyrgyz, Moldovan or Uzbek installed, then the software simply stops working. How it works Like most MaaS-type threats, Godfather focuses on scrounging user data. In most cases, it mimics Google Protect, a standard security protocol found on most Android devices. Trojan masquerades as MYT Müzik app in Turkey. The software even imitates the functionality of the original to dull the user's vigilance. As soon as the owner of the device gives all the necessary permissions, thinking that this is a protection service, the Trojan begins to collect his data. These include SMS, notifications, files from backup and buffer, contacts, call records, entered data and much more. In some cases, Godfather created a so-called backdoor. This is an additional “layer” on top of the banking application interface, crypto exchange client or wallet. One has only to enter their data in a fake form, and the user was deprived of all savings. Similarity to AnubisThe code of this virus was “leaked” to the network in 2019. Group-IB analysts believe that Godfather could have been developed by the same person, or this Trojan is a new craft based on the old one. There are certain similarities between them. This concerns the smartphone screen recorder module and the distribution of C2 requests. One way or another, this is a serious threat that targets Android users around the world. Earlier, we talked about an interesting Water Labbu virus. He is notable for stealing crypto from scammers, not ordinary users.