According to a statement from German regulator BaFin, malware dubbed “The Godfather” is targeting users of cryptocurrency apps and other services. January 9.
According to BaFin, The Godfather influences around 400 cryptocurrency and banking apps. According to another report from , the malware more specifically targeted 110 cryptocurrency exchanges, 94 cryptocurrency wallets, and 215 banking apps. Group IB in December.
Godfather steals login data from users by displaying a fake login window on top of the real login window, thereby tricking users into filling out monitored forms.
Godfather only works on Android devices. It imitates Google Protect to establish itself. It then falsely scans Play Store downloads for malware and hides itself from the list of installed applications. By mimicking Google Protect, Godfather can also leverage AccessibilityService to gain further device access and relay data to attackers.
Godfather specifically tries to mimic applications installed on the user’s device. However, you can also record your screen, launch a keylogger, forward calls containing 2FA codes, send SMS messages, and utilize a variety of other tactics.
Germany warned of a Godfather attack today, but the attack was not confined to that country alone. The IB Group said in its report that Godfather targets users in 16 countries, including the United States, Turkey, Spain, Canada, France, and the United Kingdom. By the way, devices configured to use certain languages, including Russian, cannot run malware.
Group IB suggested that parts of Godfather were distributed via malicious Google Play applications. However, the security research group says there is an overall “lack of clarity” about how this particular malware infects devices.
Phishing malware is fairly common. A similar malware called Mars Stealer emerged in 2022, and another malware called Raccoon was seen in 2021.
However, phishing can be performed without infecting the user’s device. Such attacks can only be carried out by creating fake emails or websites that resemble their real counterparts. It relies on human error, not compromised devices.