Security experts at Group-IB have just discovered a type of malicious code called “Godfather” on a series of Android applications.
According to information from the researchers, the malware targets more than 400 banking and cryptocurrency applications in 16 countries. Specifically, from June 2021 to October 2022, 49 US companies, 31 companies in Turkey and 30 companies in Spain became victims of GodFather. Financial services firms in Canada, France, Germany, the UK, Italy and Poland were also affected.
GodFather spoofs targeted banking apps. Photo: Group-IB
It is known that after being installed on the device, these malicious applications containing malicious code will masquerade as legitimate software, thereby asking the user to grant access to the accessibility service.
After the victim accepts the request, the malware can grant itself all the permissions it needs to perform the malicious behavior. This includes access to SMS and notifications, screen recording, contacts, making calls, writing to external storage, and reading device status.
Furthermore, accessibility services are abused to prevent users from deleting trojans, stealing Google Authenticator OTPs (disposable passwords), command processing, and stealing PINs and passwords.
The malware can also generate fake notifications from apps installed on the victim’s device to send the victim to a phishing page.
Therefore, to avoid being attacked by this dangerous malicious code, experts at BleepingComputer recommend that users only download the application from the CH Play store. At the same time, users should make sure the Play Protect tool is always active so that dangers can be detected early.
In addition, users are also advised to review the permissions that each application requires after installation. If the permissions don’t match, reject or delete the app immediately.
In addition, you should also not click on links sent in emails or text messages. If you suspect that your phone has been infected with GodFather malware, immediately take the following 2 steps
– Disable network access
– Freeze any previously accessed bank accounts
Researchers have discovered an app on Google Play that is linked to the GodFather malware, Currency Converter Plus.
Therefore, if you have installed this application on your phone by mistake, go to Settings – Apps (applications) – Manage apps (manage applications), then click Uninstall to remove.
Reference: Bleepingcomputer