The human arsenal, as we know, has always been a little on the loaded, but truth be told, it is still yet to possess anything more valuable than that tendency of ours to grow on a consistent basis. This is because the stated tendency has already fetched us some huge milestones, with technology appearing as a major member of the group. The reason why technology enjoys such an esteemed stature among people is largely predicated upon its skill-set, which realized all the possibilities that we couldn’t have imagined otherwise. Nevertheless, if we look a little bit closer, it should become clear how the whole runner was also very much inspired by the way we applied those skills across a real-world environment. The latter component was, in fact, what gave the creation a spectrum-wide presence, and consequentially, kickstarted a tech revolution. This revolution, in turn, will go on to scale up the human experience from every conceivable direction, but despite all the advancements, technology remains pretty flawed in its design. The same has grown to become a lot more evident in recent times, and the emergence of a new Android virus might just worsen that trend moving forward.

According to report put together by a team of analysts at Group-IB, various threat actors are using an Android Trojan named Godfather to specifically target banks and cryptocurrency exchanges in over 16 countries. But how does the operation work? Well, it naturally starts by duping the user into installing the virus on their device. Once installed, though, Godfather disguises itself as Google Protect, which is a standard security tool found on all Android devices. Next, just like any other security tool, the virus requests access to accessibility service for the purpose of scanning the device. Of course, the scan never occurs. Instead, by getting the user approval on this one request, the virus is able to grant itself all the permissions it needs to perform the intended malicious activity. The stated list of permissions include uninterrupted access to services like SMS texts and notifications, screen recording, contacts, making calls, writing to external storage, and reading the device status.

This wider access then allows the Trojan to overlay fake web pages on top of the targeted banking and crypto exchange apps where, as you can guess, it steals the relevant credentials and follows it up by draining the user account of all the funds. If that’s not devastating enough, the virus’ design makes it extremely hard to remove even after the user has detected its presence.

Another detail that is worth a mention here is Godfather’s link with an old vector called Anubis. Going by the available details, both the viruses have a similar method of receiving the C2 address, processing, and implementing C2 commands, the web fakes module, the proxy module, and the screen capture module. However, Godfather has implemented what is a new communication protocol and traffic encryption algorithm, while also introducing a new system to steal Google Authenticator codes.

As of October 2022, Godfather had targeted more than 215 banks, 94 crypto wallets, 110 crypto exchange platforms worldwide, except most of these attacks have been discovered in the US.