© 2023 CyberNews - Latest tech news,
product reviews, and analyses.

If you purchase via links on our site, we may receive affiliate commissions.

Western banks whacked by Russian-friendly Trojan, study finds


Keep your friends close and your enemies closer – so said the Godfather, and the banking Trojan of that name appears to have done just that, getting within shooting distance of targets across 16 countries. But, intriguingly, the app’s hit list is programmed to avoid Russia and other former Soviet nations.

Believed to have been active since last year and upgraded its digital Tommy guns this September, Godfather appears hell-bent on making sure data privacy sleeps with the fishes, as it seeks to do the job on users of more than 400 banking and cryptocurrency organizations, most of them in Europe and North America.

“The Android banking Trojan Godfather is currently being utilized by cybercriminals to attack users of popular financial services across the globe,” said Group-IB. “Godfather is designed to allow threat actors to harvest login credentials for banking applications and other financial services, and drain the accounts.”

Hit list of nations

Companies targeted to be ‘whacked’ by Godfather were predominantly European and North American – for instance 19 in Germany, 49 in the US, and 30 in Spain – along with financial service providers and crypto apps in Italy, Canada, France, UK, Poland, and other countries.

Users in the Middle East, for instance, Turkey, Kuwait, and Israel, have also been targeted – but not Russian-speaking countries.

“Godfather’s code features a functionality that stops the Trojan from attacking users who speak Russian or one of a number of languages used in the former Soviet Union,” said Group-IB.

Others are not lucky: “Godfather overlays web fakes on infected devices that appear when a user tries to open one of the legitimate applications targeted by Godfather. All data entered into the fake web pages – such as usernames and passwords - is exfiltrated to command-and-control servers.”

The cybersecurity analyst adds that Godfather developers used Anubis source code – named after the Egyptian god who ruled over the dead – as a basis, modifying it for newer versions of Android so it could pull the trigger on more hapless victims.

“Based on Godfather’s network infrastructure, this banking Trojan is distributed through decoy applications hosted on Google Play,” said Group-IB.

Malware you just can’t refuse

Foremost among Godfather’s targets are financial institutions (50.9%), followed by crypto wallets (22.2%) and exchanges (25.7%) – indicating that the Trojan is as greedy for loot as any 20th-century mafiosi.

Other weapons in the Godfather’s arsenal include the ability to record a target’s device screen, as well as exfiltrating push notifications and forwarding calls to help bypass two-factor authentication – a concerning feature given the latter often comes highly recommended by cybersecurity analysts.

Group-IB’s analysis of the malicious program found that both it and Anubis shared the same code base but that the C&C communication protocol, capabilities, and implementation had been modified in Godfather.

“The latter can therefore be considered an Anubis fork,” said Group-IB, but added: “Given that the source code for Anubis is publicly available, it is not possible to claim that the two Trojans were created by the same developer or operated by the same threat group.”


More from Cybernews:

Kremlin arch-hacker Yakubets remains at large

Russian hackers tried breaching NATO country’s petroleum refining company

Scammers steal huge shipments from US food suppliers, American agencies warn

Taiwan investigates TikTok for illegally operating a subsidiary

Google enables beta data-encrypting feature

Subscribe to our newsletter



Leave a Reply

Your email address will not be published. Required fields are marked