A new variant of the Godfather malware targets more than 500 banking and cryptocurrency apps. A phishing website mimicking Australia’s official MyGov portal was found distributing a fraudulent app that delivers this dangerous malware, targeting unsuspecting users in Japan, Singapore, Greece, Azerbaijan, the United States, the United Kingdom, Turkey, Spain, and Italy.
The counterfeit website, ‘mygov-au[.]app,’ was crafted to appear as Australia’s trusted MyGov platform, fooling users into downloading an APK file labelled ‘MyGov.apk.’
Once downloaded and installed, this application communicates with a remote URL, ‘hxxps://az-inatv[.]com/.’ The primary function of this malicious app is to collect critical information from the infected device, including IP addresses and device data. This information is then stored on the attackers’ server, creating a foothold for further exploitation.
Upon deeper inspection, researchers discovered a directory linked to the URL hosting additional malware-infected files and logging infected device information in a zip file called ‘counters.zip.’
This archive contained detailed lists, including 151 recorded infections and 59 unique IP addresses, suggesting an organised tracking system to monitor and potentially expand the infection scope.
Researchers found significant advancements in the new variant of the GodFather malware. The new version has transitioned from Java to native code, making it more sophisticated and harder for cybersecurity experts to detect and analyse.
The malware now extensively uses the Android Accessibility service, enabling it to carry out complex actions with minimal permissions and evade traditional security checks.
One of GodFather’s core techniques is mimicking legitimate banking and crypto applications. When a user opens one of the 500 targeted apps, the malware intercepts the attempt, shutting down the genuine app and presenting a phishing screen. This allows the malware to harvest sensitive login credentials by tricking users into entering them on a fake yet convincing login page.
This GodFather variant continues to use Command and Control (C&C) servers for communication, with initial contact occurring through a Base64-encoded URL embedded in a Telegram profile.
Upon decoding, this URL connects to ‘hxxps://akozamora[.]top/z.php,’ through which GodFather sends and receives data. This data includes information such as the list of installed applications, device language, and other unique identifiers.
In response, the C&C server provides targeted banking and cryptocurrency app names, guiding the malware to trigger phishing overlays for these applications.
An analysis of the malware’s functionality revealed several new commands, further automating its malicious actions. These include commands to navigate the device interface, perform specific gestures on target applications, control screen brightness, and even manipulate app and notification settings. Researchers also discovered that the previous version’s ability to read and send SMS messages was removed, likely in an attempt to minimise permissions, making the malware even more covert.
Researchers have advised users to download software only from official app stores or websites, install a reputable anti-virus on their device, use a strong password, enable biometric security features, and ensure that Google Play Protect is enabled.
“By moving to native code and using fewer permissions, the attackers have made GodFather harder to analyse and better at stealing sensitive information from banking and cryptocurrency apps. With its new automated actions and broader targeting of apps in more countries, this malware poses a growing risk to users worldwide. Staying alert and using strong security practices on mobile devices is essential to avoid falling victim to threats like GodFather,” researchers concluded.
In the News: Meta fined upwards of $15 million in South Korea for misusing data