The Godfather trojan resurfaces with enhanced capabilities

January 11, 2023
Godfather Banking Trojan Malware Android Europe MYT Music Mobile App

Reports reveal that the Godfather banking trojan has recently reemerged in the cybercrime landscape, fully equipped with advanced capabilities. The banking trojan was seen impersonating an application on the Google Play Store and has amassed over 10 million user downloads.

Europe is documented as the most targeted country of the Godfather trojan. However, experts say that the malware’s recently upgraded capabilities include being able to hide from detection. Thus, researchers may be challenged to spot Godfather’s latest activities.

The trojan executes a series of activities once injected into an Android device. These include stealing victims’ banking information and cryptocurrency credentials, text messages, installed apps’ information, taking over the device through VNC, forwarding incoming calls, injecting banking URLs, and more – all activities typically seen in a trojan.

 

The Godfather trojan operators were able to sneak past Google’s malware detection.

 

The app impersonated in this report was called ‘MYT Music,’ available on the Google Play Store, logging over 10 million user downloads. Because of the malicious app’s usage of the Turkish language, researchers presume that the prime targets of this recent campaign are Android users in Turkey, alongside other countries worldwide.

Fortunately, Google reports that the malicious app had already been removed. Although users who have the app installed on their devices before it gets removed could still be at risk.

The Godfather trojan requests 23 different device permissions once it has been installed. These requests are utilised for the operators to obtain access to the victim’s sensitive information. Aside from collecting data, the trojan can also write, modify, or delete files in the device’s external storage and disable all passwords or keylocks existing.

After completing all its objectives, the trojan will receive a command from the operators’ remote server to self-destruct, disallowing malware analysis.

As per usual advice, users, especially Android device owners, must only download applications from official app stores. However, this is not completely foolproof as threat actors can still slip malicious apps from the official app stores; thus, investing in trusted malware detection tools is highly recommended.

Users should also review all permission requests from a recently installed application and determine which permissions can be disregarded, including those that ask for the camera, microphone, SMS, contact list, or location access.

About the author

Leave a Reply