A piece of malware called “Godfather” is targeting users of crypto apps and other services, according to a statement from German regulator BaFin on Jan. 9.
BaFin said that Godfather affects about 400 cryptocurrency and banking apps. The malware more specifically targets 110 crypto exchanges, 94 crypto wallets, and 215 banking apps, according to a separate report from Group IB in December.
Godfather steals login data from users by displaying fake login windows on top of real ones, thereby deceiving users into entering their data into a monitored form.
Godfather operates only on Android devices. It mimics Google Protect in order to establish itself. It then falsely scans Play Store downloads for malware and hides itself from the list of installed applications. By imitating Google Protect, Godfather can also leverage AccessibilityService to further gain device access and relay data to attackers.
Godfather specifically attempts to imitate applications installed on a user’s device. However, it can also record the screen, launch keyloggers, forward calls containing 2FA codes, send SMS messages, and make use of various other strategies.
Though Germany warned of Godfather attacks today, attacks are not isolated to that country. IB Group said in its report that Godfather has targeted users in 16 countries including the U.S., Turkey, Spain, Canada, France, and the U.K. Incidentally, devices set to use certain languages including Russian cannot run the malware.
Group IB suggested that Godfather was spread partially through a malicious Google Play application. However, the security research group said there is an overall “lack of clarity” on how this particular piece of malware infects devices.
However, phishing can be accomplished without infecting user devices. Such attacks can be carried out solely by creating fake emails and websites that resemble their real counterparts — relying on human error rather than compromised devices.