"Godfather Trojan Targets 400 Financial Services Firms"

According to security researchers at Group-IB, users of hundreds of banking applications, cryptocurrency wallets, and crypto exchanges have been targeted by a prolific mobile banking Trojan since at least June 2021.  The researchers noted that the Trojan had targeted 215 global banks, 94 cryptocurrency wallets, and 110 crypto-exchange platforms.  Most of those firms are in the US, Turkey, Spain, Canada, Germany, France, and the UK.  Interestingly, none are located in former Soviet countries, hinting that the perpetrators may be Russian.  The researchers stated that the malware itself is hidden in legitimate-looking apps on Google Play, with the payload spoofed to appear as if it's Google Protect.  The researchers noted that it is based on an old piece of banking Trojan malware known as Anubis, which has been modernized to include a different C&C communication protocol, traffic encryption algorithm, and other features.  It also removed some of the old functionality in Anubis, including file encryption, recording audio, and receiving GPS information.  The researchers stated that when a user interacts with a decoy notification or tries to open one of the legitimate applications targeted by Godfather, the malware shows them a "web fake" overlay, which harvests usernames and passwords, as well as SMS-based two-factor authentication codes.  The malware also has the ability to launch keyloggers and record the victim's device screen, if necessary, to get the same information.  The researchers stated that intelligence gathered from a Telegram channel suggests Godfather is being distributed via malware-as-a-service model.

Infosecurity reports: "Godfather Trojan Targets 400 Financial Services Firms"