android has a problemand it is that it is basically the most widespread operating system in the world. That obviously includes Spain, and although Apple continues to maintain a market share that still rivals the Google platform, the system is incredibly well established around the world. Therefore, when it appears A virus What Godfather, all the alarms go off.
According to collect BleepingComputer, the use of a malware banking called Godfather, that would be having a very considerable projection of up to 16 countries. It is currently being used to steal bank account credentials from 400 entities around the world, including sites exchange of cryptocurrencies.
This, again, includes Spain since most of the affected countries according to Cyble They are European and have been confirmed to have been active here. In addition, its nature is dangerous since once the device is infected, it can do almost everything that a user would be capable of.
Godfather, android virus
It all starts with Group-IBdiscoverers of godfather which labeled it as a dangerous Trojan. This group of analysts considers that this is a successor of Anubis, another large banking Trojan that has been used very widely in the past. It is currently deprecated due to security patches introduced in the latest versions of Android.
The mode of operation of this malware it is very ingenious. It is responsible for generating overlay login screens in the login forms of the banking and exchange of cryptocurrencies. Thus, when victims try to log into such applications, they actually log in with the malware, sending your credentials to HTML pages of phishing.
Godfather projection.
Group-IB
Affected countries include the United States, Turkey, Canada, France, Germany or the United Kingdom, as well as Spain. In our country, godfather it affects to about thirty applications, and together, it threatens more than 110 platforms of exchange of cryptocurrencies and 94 applications of cryptowallets.
But how does it work? Godfather, once installed on the victim’s device, it mimics the platform’s security ecosystem. In the case of Android, it mimics to Google Play Protect, the security tool embedded within the store apps Google Play Store.
Banking apps affected by Godfather.
Group-IB
Upon installation, it requests access to the Accessibility Service systems by posing as Google Play Protect, and asks for user approval. When the user gives the go-ahead, the malware gets access to all device permissions, and gets virtually full functionality all over the phone.
godfather It is able to read text messages, notifications, read calls, record screen, write to external storage and check device status. He is even able to make calls if he wants to. In fact, it takes advantage of the Accessibility Service to prevent the user from uninstalling the Trojan. It also filters Google Authenticator passwords and steals the content of the password and PIN fields of the system.
Godfather Infrastructure Graphic.
Group-IB
It is at this moment when godfather it simply has to get the victim’s credentials by taking screenshots or recording the screen. As if that were not enough, it allows the action of certain commands through the server that even pass by self deleting from device and thus erase his trail. Other commands include sending SMS to all contacts to spread the Trojan or open web pages.
The scope of godfather is worrying, since according to Cyble, the activity of the trojan allowed usurp a very popular application in Turkey, which has caused it to be downloaded up to 10 million times on Google Play.
[Elimina el malware de tu móvil gracias únicamente a estos dos sencillos pasos]
Although the origin of the Trojan itself is not known, there is an interesting detail: when the Trojan detects that the language of the device is Russian, Azerbaijani, Armenian, Belarusian, Kazakh, Kyrgyz, Moldovan, Uzbek or Takiyo, stops completely. Thus, it follows that the authors of godfather They are Russian and would belong to the Commonwealth of Independent States or CIS.
