Recently, the Federal Financial Supervisory Authority (BaFin), the financial regulatory body in Germany, has released a statement mentioning malware called “Godfather,” which targets users of crypto applications and other services.
As per the regulator, the malware has affected about 400 cryptocurrency and banking applications. In December, a separate report from Group IB, a cyber security firm, classified that this malware’s primary targets have been 110 crypto exchanges, 94 crypto wallets, and around 215 banking applications.
Sources reveal that the malware steals login data from users by displaying fake login windows on top of real ones, thereby deceiving users into entering their data into a monitored form. Apparently, it operates only on Android devices and mimics the service of Google Protect to establish itself.
After that, it falsely scans Play Store downloads for malware and hides from the list of installed applications. Also, by imitating Google Protect, the malware can leverage “AccessibilityService” to gain access to the device and subsequently relay data to attackers.
The malware specifically attempts to imitate applications installed on a user’s device; however, it can also record the screen, launch keyloggers, forward calls containing 2FA codes, send SMS messages, and use various other strategies.
Reportedly the German regulators cautioned regarding the attacks of Godfather, but the attacks are not specifically limited to that country. The report from December also stated that Godfather targeted users in 16 countries, including the United States, Turkey, Canada, France, and the United Kingdom. Notably, devices that use certain languages, including Russian, cannot run the malware.
According to the report of Group IB, the malware spreads partially through a malicious Google Play application. However, the security research group specified that there still is a “lack of clarity” on the mechanism of this malware to infect devices.
Reportedly, phishing malware is comparatively common. However, one similar malware called Mars Stellar emerged in 2022, and another called Raccoon was seen in 2021.
In 2021, Todayq News reported a study by Russian cybersecurity firm Kaspersky which discovered almost 1500 fraudulent entities in the first half of the year. The report also stated that almost 0.60% of South African users are a common target of malicious crypto miners. The most common ways of duping users included false advertisements, claiming to sell mining equipment, fake websites, etc.
However, cyber experts say that phishing can be accomplished without infecting user devices. Instead, such acts can be carried out solely by creating bogus emails and websites that resemble their real counterparts.