A new variant of the Android banking Trojan, Godfather, has been detected with the latest version of the malware being used to target more than 400 financial institutions worldwide, including 215 international banks, 110 cryptocurrency exchanges, and 94 cryptocurrency wallets in at least 16 countries including the United States, Canada, United Kingdom, Spain, France, and Germany.

Godfather malware is thought to have evolved from the Anubis banking Trojan, and while it was first detected 18 months ago, it has been rarely used until recently. The malware was only distributed in low volume during its first year, then it disappeared entirely in June 2022, suggesting the developers were working on a new version. That new version was released in September 2022.

While banking Trojans can have quite extensive functionality, their primary purpose is to steal the login credentials for financial institutions, which they usually obtain by generating fake login pages for the institutions that they target. What makes Godfather malware stand out is the number of financial institutions that are targeted. When installed on a device, Godfather malware will generate a fake login page when a user attempts to use the app of a targeted bank or cryptocurrency exchange. These fake login pages are overlays, that are displayed on top of the legitimate targeted app. The fake login page created by the malware will capture the user’s credentials when they are entered.

Most financial institutions have additional authentication requirements and no longer rely on a username and password for granting access. Banking Trojans therefore need to have the capability to bypass these additional authentication measures if they are to be successful. Godfather malware achieves this by masquerading as Google Play Protect and attempts to get the user to grant it accessibility rights, which allows the app to log keystrokes and also read SMS messages and perform screen captures. Those rights will allow the malware to capture the necessary information to bypass multi-factor authentication and other security features. Once credentials and other login information are harvested, accounts are accessed and emptied.

The new version of the malware was detected and analyzed by security researchers at Group-IB, who believe the malware was developed by Russian speakers, as the malware has a kill switch that will deactivate it if it detects any of the languages in former Soviet states, apart from Ukraine. The researchers believe that Godfather malware has been created for use under the malware-as-a-service model, where the developers offer the malware to a range of threat actors for a fee, allowing them to steal login credentials for financial accounts without having to develop their own malware.

Since multiple threat actors will likely be using the malware, the vectors used to distribute the banking Trojan will likely be diverse. As was the case with Anubis, one of the distribution methods is via decoy applications in the Google Play store. Godfather malware is more advanced than its predecessor and it is thought that it will grow into a major threat and will likely be modified further to target even more financial institutions.