cyble.com
Open in
urlscan Pro
192.0.78.231
Public Scan
URL:
https://cyble.com/blog/godfather-malware-targets-500-banking-and-crypto-apps-worldwide/
Submission: On November 08 via api from TR — Scanned from DE
Submission: On November 08 via api from TR — Scanned from DE
Form analysis 4 forms found in the DOM
POST https://wordpress.com/email-subscriptions
<form action="https://wordpress.com/email-subscriptions" method="post" accept-charset="utf-8" data-blog="221651828" data-post_access_level="everybody" data-subscriber_email="" id="subscribe-blog" data-hs-cf-bound="true" data-cb-wrapper="true">
<div class="wp-block-jetpack-subscriptions__form-elements">
<p id="subscribe-email">
<label id="subscribe-field-label" for="subscribe-field" class="screen-reader-text"> Type your email… </label>
<input required="required" type="email" name="email" class="no-border-radius has-ast-global-color-6-border-color" style="font-size: 16px;padding: 10px 15px 10px 15px;border-color: ast-global-color-6;border-radius: 0px;border-width: 1px;"
placeholder="Type your email…" value="" id="subscribe-field" title="Please fill in this field.">
</p>
<p id="subscribe-submit" style="width: ;max-width: 100%;">
<input type="hidden" name="action" value="subscribe">
<input type="hidden" name="blog_id" value="221651828">
<input type="hidden" name="source" value="https://cyble.com/blog/godfather-malware-targets-500-banking-and-crypto-apps-worldwide/">
<input type="hidden" name="sub-type" value="subscribe-block">
<input type="hidden" name="app_source" value="">
<input type="hidden" name="redirect_fragment" value="subscribe-blog">
<input type="hidden" name="lang" value="en_US">
<input type="hidden" id="_wpnonce" name="_wpnonce" value="8d248e7f02"><input type="hidden" name="_wp_http_referer" value="/blog/godfather-malware-targets-500-banking-and-crypto-apps-worldwide/"><input type="hidden" name="post_id" value="71026">
<button type="submit" class="wp-block-button__link no-border-radius has-ast-global-color-6-border-color"
style="background: #cc0000;width: 100%;font-size: 16px;padding: 10px 15px 10px 15px;margin: 0; margin-left: 10px;border-color: ast-global-color-6;border-radius: 0px;border-width: 1px;" name="jetpack_subscriptions_widget"> Subscribe Now <span
class="jetpack-memberships-spinner"> <svg width="24" height="24" viewBox="0 0 24 24" xmlns="http://www.w3.org/2000/svg">
<path d="M12,1A11,11,0,1,0,23,12,11,11,0,0,0,12,1Zm0,19a8,8,0,1,1,8-8A8,8,0,0,1,12,20Z" opacity=".25" fill="currentColor"></path>
<path d="M10.14,1.16a11,11,0,0,0-9,8.92A1.59,1.59,0,0,0,2.46,12,1.52,1.52,0,0,0,4.11,10.7a8,8,0,0,1,6.66-6.61A1.42,1.42,0,0,0,12,2.69h0A1.57,1.57,0,0,0,10.14,1.16Z" class="jetpack-memberships-spinner-rotating" fill="currentColor"></path>
</svg></span></button>
</p>
</div>
</form>GET https://cyble.com/
<form class="search-form" action="https://cyble.com/" method="get" data-hs-cf-bound="true" data-cb-wrapper="true">
<fieldset>
<span class="text">
<label for="search-field" class="screen-reader-text">Begin Search...</label>
<input id="search-field" name="s" class="search-field" autocomplete="off" type="text" value="" placeholder="Begin Search..." tabindex="1">
</span>
<button aria-label="Search" id="search_submit" class="button search-submit" tabindex="2"><i class="astra-search-icon"> <span class="ast-icon icon-search"></span> </i></button>
</fieldset>
</form>POST https://wordpress.com/email-subscriptions
<form action="https://wordpress.com/email-subscriptions" method="post" accept-charset="utf-8" data-blog="221651828" data-post_access_level="everybody" data-subscriber_email="" id="subscribe-blog-2" data-hs-cf-bound="true" data-cb-wrapper="true">
<div class="wp-block-jetpack-subscriptions__form-elements">
<p id="subscribe-email">
<label id="subscribe-field-2-label" for="subscribe-field-2" class="screen-reader-text"> Type your email… </label>
<input required="required" type="email" name="email" style="font-size: 16px;padding: 15px 23px 15px 23px;border-radius: 50px;border-width: 1px;" placeholder="Type your email…" value="" id="subscribe-field-2" title="Please fill in this field.">
</p>
<p id="subscribe-submit">
<input type="hidden" name="action" value="subscribe">
<input type="hidden" name="blog_id" value="221651828">
<input type="hidden" name="source" value="https://cyble.com/blog/godfather-malware-targets-500-banking-and-crypto-apps-worldwide/">
<input type="hidden" name="sub-type" value="subscribe-block">
<input type="hidden" name="app_source" value="atomic-subscription-modal-lo">
<input type="hidden" name="redirect_fragment" value="subscribe-blog-2">
<input type="hidden" name="lang" value="en_US">
<input type="hidden" id="_wpnonce" name="_wpnonce" value="8d248e7f02"><input type="hidden" name="_wp_http_referer" value="/blog/godfather-malware-targets-500-banking-and-crypto-apps-worldwide/"><input type="hidden" name="post_id" value="71026">
<button type="submit" class="wp-block-button__link" style="font-size: 16px;padding: 15px 23px 15px 23px;margin: 0; margin-left: 10px;border-radius: 50px;border-width: 1px;" name="jetpack_subscriptions_widget"> Subscribe <span
class="jetpack-memberships-spinner"> <svg width="24" height="24" viewBox="0 0 24 24" xmlns="http://www.w3.org/2000/svg">
<path d="M12,1A11,11,0,1,0,23,12,11,11,0,0,0,12,1Zm0,19a8,8,0,1,1,8-8A8,8,0,0,1,12,20Z" opacity=".25" fill="currentColor"></path>
<path d="M10.14,1.16a11,11,0,0,0-9,8.92A1.59,1.59,0,0,0,2.46,12,1.52,1.52,0,0,0,4.11,10.7a8,8,0,0,1,6.66-6.61A1.42,1.42,0,0,0,12,2.69h0A1.57,1.57,0,0,0,10.14,1.16Z" class="jetpack-memberships-spinner-rotating" fill="currentColor"></path>
</svg></span></button>
</p>
</div>
</form><form id="jp-carousel-comment-form" data-hs-cf-bound="true" data-cb-wrapper="true">
<label for="jp-carousel-comment-form-comment-field" class="screen-reader-text">Write a Comment...</label>
<textarea name="comment" class="jp-carousel-comment-form-field jp-carousel-comment-form-textarea" id="jp-carousel-comment-form-comment-field" placeholder="Write a Comment..."></textarea>
<div id="jp-carousel-comment-form-submit-and-info-wrapper">
<div id="jp-carousel-comment-form-commenting-as">
<fieldset>
<label for="jp-carousel-comment-form-email-field">Email</label>
<input type="text" name="email" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-email-field">
</fieldset>
<fieldset>
<label for="jp-carousel-comment-form-author-field">Name</label>
<input type="text" name="author" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-author-field">
</fieldset>
<fieldset>
<label for="jp-carousel-comment-form-url-field">Website</label>
<input type="text" name="url" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-url-field">
</fieldset>
</div>
<input type="submit" name="submit" class="jp-carousel-comment-form-button" id="jp-carousel-comment-form-button-submit" value="Post Comment">
</div>
</form>Text Content
Check your External Threat Exposure Get Free Threat Assessment Report
Try Cyble Vision for 30 days with our Experts Schedule Free Demo
×
Skip to content
* Critical Zero-Click Vulnerability in Synology NAS Devices Needs Urgent
Patching
Switch to Cyble
Report an Incident
Talk to Sales
We are Hiring!
Login
Login
* ProductsMenu Toggle
* For Enterprises(B2B) and GovernmentsMenu Toggle
* AI-Driven Cybersecurity Platforms
* Cyble VisionFor Enterprises
Award-winning cyber threat intelligence platform, designed to provide
enhanced security through real-time intelligence and threat detection.
* Cyble HawkFor Federal Bodies
Protects sensitive information and assets from cyber threats with its
specialized threat detection and intelligence capabilities built for
federal bodies.
* For Enterprises(B2B) and Individuals(B2C)Menu Toggle
* AmIBreached
Enables consumers and organizations to Identify, Prioritize and Mitigate
darkweb risks.
* Odin by CybleNew
The most advanced internet-scanning tool in the industry for real-time
threat detection and cybersecurity
* The Cyber ExpressSubscribe
#1 Trending Cyber Security News and Magazine
* We’ve just released an update!
Cyble has an update that enhances ASM, CTI and more...
Menu Toggle
* Schedule a Demo
* SolutionsMenu Toggle
* AI-Driven SolutionsPowered by AIMenu Toggle
* Attack Surface Management
Ensure digital security by identifying and mitigating threats with
Cyble's Attack Surface Management
* Brand Intelligence
Comprehensive protection against online brand abuse, including brand
impersonation, phishing, and fraudulent domains.
* Cyber Threat Intelligence
Gain insights and enhance your defense with AI-driven analysis and
continuous threat monitoring
* Dark Web Monitoring
Stay vigilant and ahead of cybercriminals with Cyble's comprehensive Dark
Web Monitoring.
* Vulnerability Management
Advanced scanning, risk evaluation, and efficient remediation strategies
to protect against cyber threats.
* Takedown and Disruption
Fight cybercrime with Cyble’s top takedown services—remove fraud sites,
content, and disrupt malicious campaigns.
* Menu ItemMenu Toggle
* Third Party Risk Management
Identify and mitigate third-party risks to keep your business secure in
external collaborations.
* Digital Forensics & Incident Response
Cyble offers comprehensive DFIR services to help businesses manage,
mitigate, and recover from cyber incidents.
* Physical Security Intelligence
Monitor multiple locations on one platform with real-time alerts, AI
insights, and tailored threat notifications for proactive security.
* Executive Monitoring
Protect your leadership with proactive threat detection, covering
impersonations, PII leaks, and dark web monitoring with prompt alerts.
* Cloud Security Posture Management (CSPM)
Manage and secure cloud assets with Cyble’s CSPM, ensuring compliance and
proactive risk detection across cloud and on-premises environments.
* Solutions by Industry
Menu Toggle
* Healthcare & Pharmaceuticals
* Financial Services
* Retail and CPG
* Technology Industry
* Educational Platform
* Solutions by Role
* Information Security
* Corporate Security
* Marketing
* Why Cyble?Menu Toggle
* Compare CybleMenu Toggle
* Industry RecognitionAwards
* Customer Stories
* ResourcesMenu Toggle
* Thought LeadershipMenu Toggle
* Blog
Discover the latest in cybersecurity with Cyble's blog, featuring a
wealth of articles, research findings, and insights. CRIL is an
invaluable resource for anyone interested in the evolving world of cyber
threats and defenses, offering expert analysis and updates.
* Knowledge Hub
* Threat Actor Profiles
* SAMA Compliance
* Events
Conferences, Webinars, Training sessions and more…
* Data SheetsMenu Toggle
* Case Studies
Dive into Cyble's case studies to discover real-world applications of
their cybersecurity solutions. These studies provide valuable insights
into how Cyble addresses various cyber threats and enhances digital
security for different organizations.
* Research Reports
* Country Reports
* Industry Reports
* Ransomware Reports
* WhitepapersDownload
* External Threat Assessment ReportDownload Report
* Research ReportsLatest Report
Menu Toggle
* Free Tools
* Scan The Dark Web
* Scan The Internet
* CompanyMenu Toggle
* Our Story
Learn about Cyble's journey and mission in the cybersecurity landscape.
Menu Toggle
* Leadership Team
Meet our leadership team.
* CareersWe are hiring!
Explore a career with Cyble and contribute to cutting-edge cybersecurity
solutions. Check out Cyble's career opportunities.
* Press
* PartnersMenu Toggle
* Cyble Partner Network (CPN)Join Us
Join Cyble's Partner Network to collaborate and innovate in cybersecurity.
This platform offers unique opportunities for partnerships, fostering
growth and shared success in tackling cyber threats together.
Menu Toggle
* Partner Login
* Become a PartnerRegister
Elevate your cybersecurity business with the Cyble Partner Network:
Access cutting-edge tools, expert support, and growth opportunities.
Ideal for MSSPs, resellers, and alliances.
Free Trial
Free Trial
Main Menu
* ProductsMenu Toggle
* For Enterprises(B2B) and GovernmentsMenu Toggle
* AI-Driven Cybersecurity Platforms
* Cyble VisionFor Enterprises
Award-winning cyber threat intelligence platform, designed to provide
enhanced security through real-time intelligence and threat detection.
* Cyble HawkFor Federal Bodies
Protects sensitive information and assets from cyber threats with its
specialized threat detection and intelligence capabilities built for
federal bodies.
* For Enterprises(B2B) and Individuals(B2C)Menu Toggle
* AmIBreached
Enables consumers and organizations to Identify, Prioritize and Mitigate
darkweb risks.
* Odin by CybleNew
The most advanced internet-scanning tool in the industry for real-time
threat detection and cybersecurity
* The Cyber ExpressSubscribe
#1 Trending Cyber Security News and Magazine
* We’ve just released an update!
Cyble has an update that enhances ASM, CTI and more...
Menu Toggle
* Schedule a Demo
* SolutionsMenu Toggle
* AI-Driven SolutionsPowered by AIMenu Toggle
* Attack Surface Management
Ensure digital security by identifying and mitigating threats with
Cyble's Attack Surface Management
* Brand Intelligence
Comprehensive protection against online brand abuse, including brand
impersonation, phishing, and fraudulent domains.
* Cyber Threat Intelligence
Gain insights and enhance your defense with AI-driven analysis and
continuous threat monitoring
* Dark Web Monitoring
Stay vigilant and ahead of cybercriminals with Cyble's comprehensive Dark
Web Monitoring.
* Vulnerability Management
Advanced scanning, risk evaluation, and efficient remediation strategies
to protect against cyber threats.
* Takedown and Disruption
Fight cybercrime with Cyble’s top takedown services—remove fraud sites,
content, and disrupt malicious campaigns.
* Menu ItemMenu Toggle
* Third Party Risk Management
Identify and mitigate third-party risks to keep your business secure in
external collaborations.
* Digital Forensics & Incident Response
Cyble offers comprehensive DFIR services to help businesses manage,
mitigate, and recover from cyber incidents.
* Physical Security Intelligence
Monitor multiple locations on one platform with real-time alerts, AI
insights, and tailored threat notifications for proactive security.
* Executive Monitoring
Protect your leadership with proactive threat detection, covering
impersonations, PII leaks, and dark web monitoring with prompt alerts.
* Cloud Security Posture Management (CSPM)
Manage and secure cloud assets with Cyble’s CSPM, ensuring compliance and
proactive risk detection across cloud and on-premises environments.
* Solutions by Industry
Menu Toggle
* Healthcare & Pharmaceuticals
* Financial Services
* Retail and CPG
* Technology Industry
* Educational Platform
* Solutions by Role
* Information Security
* Corporate Security
* Marketing
* Why Cyble?Menu Toggle
* Compare CybleMenu Toggle
* Industry RecognitionAwards
* Customer Stories
* ResourcesMenu Toggle
* Thought LeadershipMenu Toggle
* Blog
Discover the latest in cybersecurity with Cyble's blog, featuring a
wealth of articles, research findings, and insights. CRIL is an
invaluable resource for anyone interested in the evolving world of cyber
threats and defenses, offering expert analysis and updates.
* Knowledge Hub
* Threat Actor Profiles
* SAMA Compliance
* Events
Conferences, Webinars, Training sessions and more…
* Data SheetsMenu Toggle
* Case Studies
Dive into Cyble's case studies to discover real-world applications of
their cybersecurity solutions. These studies provide valuable insights
into how Cyble addresses various cyber threats and enhances digital
security for different organizations.
* Research Reports
* Country Reports
* Industry Reports
* Ransomware Reports
* WhitepapersDownload
* External Threat Assessment ReportDownload Report
* Research ReportsLatest Report
Menu Toggle
* Free Tools
* Scan The Dark Web
* Scan The Internet
* CompanyMenu Toggle
* Our Story
Learn about Cyble's journey and mission in the cybersecurity landscape.
Menu Toggle
* Leadership Team
Meet our leadership team.
* CareersWe are hiring!
Explore a career with Cyble and contribute to cutting-edge cybersecurity
solutions. Check out Cyble's career opportunities.
* Press
* PartnersMenu Toggle
* Cyble Partner Network (CPN)Join Us
Join Cyble's Partner Network to collaborate and innovate in cybersecurity.
This platform offers unique opportunities for partnerships, fostering
growth and shared success in tackling cyber threats together.
Menu Toggle
* Partner Login
* Become a PartnerRegister
Elevate your cybersecurity business with the Cyble Partner Network:
Access cutting-edge tools, expert support, and growth opportunities.
Ideal for MSSPs, resellers, and alliances.
TRENDING
TARGETED INDUSTRIES -> IT & ITES | Government & LEA | Technology | Healthcare |
BFSITARGETED COUNTRIES -> United States | Russian Federation | China | United
Kingdom | GermanyTARGETED REGIONS -> North America (NA) | Europe & UK | Asia &
Pacific (APAC) | Middle East & Africa (MEA) | Australia and New Zealand
(ANZ)IOCs -> a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91 |
7bdbd180c081fa63ca94f9c22c457376 |
c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0 |
8c69830a50fb85d8a794fa46643493b2 | bbcf7a68f4164a9f5f5cb2d9f30d9790CVEs ->
CVE-2024-21887 | CVE-2023-46805 | CVE-2017-11882 | CVE-2024-21893 |
CVE-2021-44228TECHNIQUES -> T1082 | T1140 | T1486 | T1083 | T1105TACTICS ->
TA505 | TA0011 | TA0001 | TA0002 | TA0005TAGS -> security | the-cyber-express |
firewall-daily | the-cyber-express-news | malwareTHREAT ACTORS -> Lockbit |
Blackcat | Lazarus | VoltTyphoon | KimsukyMALWARE -> CobaltStrike | Qakbot |
Icedid | Trickbot | XmrigSOURCES -> Darkreading | The Cyber Express |
Bleepingcomputer | The Hacker News | Infosecurity Magazine
Home » Blog » GodFather Malware Expands Its Reach, Targeting 500 Banking And
Crypto Applications Worldwide
* Malware
* November 6, 2024
GODFATHER MALWARE EXPANDS ITS REACH, TARGETING 500 BANKING AND CRYPTO
APPLICATIONS WORLDWIDE
Cyble analyzes the latest iteration of the GodFather Android banking trojan,
which targets over 500 cryptocurrency and banking applications and has expanded
its reach to Japan, Greece, Singapore, and Azerbaijan.
KEY TAKEAWAYS
* Cyble Research and Intelligence Labs (CRIL) has identified a new variant of
the GodFather malware, now targeting 500 banking and cryptocurrency apps.
* Initially focused on regions like the UK, US, Turkey, Spain, and Italy,
GodFather has expanded its reach to include Japan, Singapore, Greece, and
Azerbaijan.
* The GodFather malware has transitioned the Java code implementation to the
Native code for its malicious activities.
* In its latest version, the GodFather malware uses limited permissions,
relying heavily on Accessibility services to capture credentials from
targeted applications.
* This updated variant also includes new commands that enable the malware to
automate gestures on infected devices, mimicking user actions.
* The Threat Actor(TA) behind GodFather malware uses a phishing site to deliver
the suspicious app and tracks visitor counts to plan further activity.
OVERVIEW
Cyble Research and Intelligence Labs (CRIL) recently identified a phishing site,
“mygov-au[.]app,” masquerading as the official MyGov website of the Australian
Government. Upon further analysis, this site was found to be distributing a
suspicious APK file linked to the GodFather Malware, known for its ability to
steal banking application credentials.
Figure 1 – Phishing site impersonating myGov website distributing APK file
The downloaded application, “MyGov.apk”, communicates with the URL
“hxxps://az-inatv[.]com/.” This app is programmed to track the number of devices
it is installed on, retrieve the device’s IP address, and store this information
on the server in a text file. Figures 3 and 4 show the code of index.php and
count.php responsible for getting the count and IP address.
Figure 2 – Malware loading URL, which maintains the counter
Figure 3 – Getting counts and IP addresses
Technical Content! Subscribe to Unlock
Sign up and get access to Cyble Research and Intelligence Labs' exclusive
contents
Email
Country
Phone
Unlock this Content
Figure 4 – Getting the IP address of an infected device
The URL “hxxps://az-inatv[.]com/” hosted an open directory containing a file
named counters.zip, which included the total count of infected devices and a
list of IP addresses. Additionally, the directory featured a page labeled “down”
that hosted another APK file called “lnat Tv Pro 2024.apk.” Upon analyzing this
APK, it was identified as the GodFather Malware.
Your browser does not support the video tag.
Figure 5 – Open directory hosting counters.zip and GodFather malware
Upon examining the counters.zip file, we found 151 counts in hit.txt and 59
unique IP addresses, reflecting the targeted device count. While the MyGov
application collected this data, we suspect the TA may leverage this visitor
information to identify potential victim counts and later use the same website
to distribute the GodFather malware.
Figure 6 – Counters.zip content
Notably, we observed that the latest variant of the GodFather malware has moved
from Java code to native code implementation. It is now targeting 500 banking
and cryptocurrency applications and expanding its reach to Japan, Singapore,
Azerbaijan, and Greece. Further details on this new variant of GodFather are
provided in the following section.
TECHNICAL DETAILS
In the latest version, the GodFather malware operates with minimal permissions,
relying heavily on the Accessibility service to carry out its malicious
activities.
Figure 7 – Manifest with limited permissions
Native Code Implementation
Starting our analysis with the classes specified in the manifest file, we
observed that the malware calls numerous native methods, which were previously
implemented in Java code.
Figure 8 – Calls to native methods
These native functions implement various malicious capabilities, including
loading an injection URL into the WebView, executing automated gestures,
establishing connections with the Command and Control (C&C) server, and
keylogging.
Figure 9 – Native code implementation
C&C Server
Similar to the previous variant, the latest samples also connect to the Telegram
URL “hxxps://t.me/gafaramotamer,” where the TA has embedded a Base64-encoded C&C
URL. The malware retrieves and decodes this URL to
“hxxps://akozamora[.]top/z.php.”
Figure 10 – Malware fetches C&C server URL from Telegram Profile
Targeting 500 Crypto and Banking Applications
After decoding the URL, the malware begins communication by sending data such as
the list of installed application package names, the device’s default language,
model name, and SIM name. In return, it receives a list of 500 targeted
application package names associated with banking and cryptocurrency apps. In
addition to previous targets in the UK, US, Turkey, Spain, and Italy, GodFather
has expanded its reach, now including Japan, Singapore, Greece, and Azerbaijan.
Figure 11 – Receives the list of target application package names
When the user tries to interact with the target application, the malware closes
the genuine application. Instead, it loads a fake banking or crypto login URL
into the WebView or displays a blank screen. It constructs the injection URL
using the C&C server “hxxps://akozamora[.]top/” and appends the endpoint
“rx/f.php?f=” along with the device name, package name, and default language,
then loads the assembled URL in the WebView.
Figure 12 – Loading fake login pages
The GodFather malware has successfully replaced the traditional overlay attack
with this technique. Rather than launching the legitimate application, the
malware activates itself and loads a phishing page to steal banking credentials.
COMMANDS ADDED IN NEW VERSION
The previous version included commands for USSD and SMS operations, which have
been removed in the latest version. Additionally, this malware version lacks
permission to collect or send SMS messages from the infected device. Instead,
the newly added commands focus primarily on automating actions on the infected
device. Below is a list of commands observed in the latest version of the
GodFather malware.
CommandDescriptionclickpositionMalware clicks on the position X and Y received
from the serverbackedTake the user to the previous screenhomeTake the user to
the home screenrecentsTake the user to the recent screenscrollforwardMalware
scrolls the page forward using the given parameterscrollbackIt scrolls the page
backward till using the provided parameteropencontrolPerform gestures on
the target appsetpatternReceives some value from the server and saves it to a
shared preference variable “pc”screenlightManages the brightness of the
screensl2Setting up a wake lock to keep the device awakesl3Similar to
sl2autopatternThe value received using “setpattern” command is used to insert on
the device screen using the accessibility service.csnSet the timer to initiate
the WebSocket connectionswpfullPerform swipe operationupswpPerform swipe
updownswpPerform swipe downleftswpPerform left swiperightswpPerform right
swipevncresetNot ImplementedopnapOpen the application whose package name is
received from the servergifLoads Gif from link
“hxxps://s6.gifyu.com/images/S8uz3.gif”opnsttingsOpens setting appopnsoundOpens
sound settingopnmscOpens notification settingopnpckgNot
ImplementednotifyopenOpens notification using Accessibility service
CONCLUSION
The latest version of the GodFather malware shows how dangerous and adaptable
mobile threats have become. By moving to native code and using fewer
permissions, the attackers have made GodFather harder to analyze and better at
stealing sensitive information from banking and cryptocurrency apps. With its
new automated actions and broader targeting of apps in more countries, this
malware poses a growing risk to users worldwide. Staying alert and using strong
security practices on mobile devices is essential to avoid falling victim to
threats like GodFather.
OUR RECOMMENDATIONS
We have listed some essential cybersecurity best practices that create the first
line of control against attackers. We recommend that our readers follow the best
practices given below:
* Download and install software only from official app stores like Google Play
Store or the iOS App Store.
* Use a reputed anti-virus and internet security software package on your
connected devices, such as PCs, laptops, and mobile devices.
* Use strong passwords and enforce multi-factor authentication wherever
possible.
* Enable biometric security features such as fingerprint or facial recognition
for unlocking the mobile device where possible.
* Be wary of opening any links received via SMS or emails delivered to your
phone.
* Ensure that Google Play Protect is enabled on Android devices.
* Be careful while enabling any permissions.
* Keep your devices, operating systems, and applications updated.
MITRE ATT&CK® TECHNIQUES
TacticTechnique IDProcedureInitial Access (TA0027)Phishing (T1660)Malware
distributing via phishing siteExecution (TA0041)Native API (T1575)Malware using
native code to drop final payloadPersistence (TA0028)Scheduled Task/Job (T1603)
Uses timer to initiate WebSocket connectionDefense Evasion
(TA0030)Masquerading: Match Legitimate Name or Location (T1655.001)Malware
pretending to be a genuine Music applicationDefense Evasion (TA0030)Application
Discovery (T1418)Collects installed application package name list to identify
targetDefense Evasion (TA0030)Input Injection (T1516)Malware can mimic user
interaction, perform clicks and various gestures, and input dataCollection
(TA0035)Input Capture: Keylogging (T1417.001)Malware can capture
keystrokesDiscovery (TA0032)System Information Discovery (T1426)The malware
collects basic device information.Command and Control (TA0037)Web Service: Dead
Drop Resolver (T1481.001)Malware communicates with Telegram to fetch C&C
serverExfiltration (TA0036)Exfiltration Over C2 Channel (T1646)Sending
exfiltrated data over C&C server
INDICATORS OF COMPROMISE (IOCS)
IndicatorsIndicator
TypeDescriptiond8165712329fa120b5cc696514b5dd0d7043fbf7d6b6ef5f767348e0ba31aa6e
e789b03b60ad99727ea65b52ce931482fb70814e 87ccf62e07cf69c25a204bffdbc89630SHA256
SHA1 MD5Analyzed GodFather malwarehxxps://akozamora[.]top/ URLC&C
serverhxxps://t.me/gafaramotamerURLMalware fetching C&C from Telegram
URLhxxps://az-inatv[.]comURLURL hosting new GodFather
variantmygov-au[.]appDomainPhishing domain distributing counter
app8ae2fcc8bef4d9a0ae3d1ac5356dbd85a4f332ad497375cd217bd1e945e64692
d57ef894b53f804c97d40c3e365faf729ce2ea7386b280f9909ebc8432008eee
d508078368d8775fcfff5a7886392da57fcf757c89687f22c0504c3df9075b00
b3d3019ed0a4602fb7e502e54ac12a59da1a0ed7b6736feb98ce7c417091b2e6
3aa7e2353c2de16734f612eba7b43a2538d96f73702a6c25283d6ef0c9300a4c
1ce2a392dd2c1df22dfeb080c7ad290d63e3afe983729927b2f15c6705861070
d8165712329fa120b5cc696514b5dd0d7043fbf7d6b6ef5f767348e0ba31aa6e
d8165712329fa120b5cc696514b5dd0d7043fbf7d6b6ef5f767348e0ba31aa6e
0c9e2ae9c699374f06a6d38cf2ea41232fc8a712e110be8069b08659fdf50514
19ed4f67710d455da42017de28688f5e55ed36809cc70252d825ac81713e95d1
7b4543cc4df1fc57af2cd9a892b2fab3647bdceb027d576217724a8c012a2065
2b1b527b87929a13f0c33391c641b3013da099fd7de10695d762da097bc13ffc
2b1b527b87929a13f0c33391c641b3013da099fd7de10695d762da097bc13ffc
72d40ff8ad114724b8d4e0350f81f797866c0f271844aeddc3b92f33faa6fbc0SHA256New
GodFather variant hashes
RELATED
GODFATHER MALWARE UNDER THE LENS
Cyble takes a look at the GodFather Android malware variant that has recently
been targeting European banking users.
March 23, 2022
In "Malware"
GODFATHER MALWARE RETURNS TARGETING BANKING USERS
Cyble analyzes GodFather, an android malware impersonating as MYT application to
steal users' sensitive information.
December 20, 2022
In "Trojan"
UNDERGROUND CLIPPER MALWARE TARGETING IBAN TRANSACTIONS & CRYPTOCURRENCY
Cyble Analyzes Threat Actors selling Clipper Malware targeting IBAN transactions
and cryptocurrency on cybercrime forums.
July 28, 2022
In "Cybercrime"
GET THREAT ASSESSMENT REPORT
Identify External Threats Targeting Your Business
Get My Report
Free
Your browser does not support the video tag.
*
*
CISO’S GUIDE TO THREAT INTELLIGENCE 2024: BEST PRACTICES
Stay Ahead of Cyber Threats with Expert Insights and Strategies. Download Free
E-Book Now
Search for your darkweb exposure
Use Cyble's Largest Dark Web Monitoring Engine to Assess Your Exposure. Make
Sure You're Aware of the Risks by Searching Through Our 150,447,938,145 Records!
We Have Over 50,000 Data Breaches, Several Hacking Forums, Conversations
Indexed.
Download Now
Cybercrime Magazine · AI's Impact On Cybersecurity. Microsoft Recall & Beyond.
Beenu Arora, Co-Founder & CEO, Cyble.
Business Email Address*
Type your email…
Subscribe Now
Share the Post:
PrevPreviousCybersecurity and Influence Operations Threaten Integrity of U.S.
Elections, Warns FBI, CISA, and ODNI
NextGoogle Fixes Critical Zero-Day Vulnerabilities in Latest Android Security
UpdateNext
RELATED POSTS
CRITICAL ZERO-CLICK VULNERABILITY IN SYNOLOGY NAS DEVICES NEEDS URGENT PATCHING
November 7, 2024
CRITICAL BUG IN CISCO’S URWB EXPOSES SYSTEMS TO ROOT PRIVILEGE COMMAND INJECTION
November 7, 2024
QUICK LINKS
Main Menu
* Home
* About Us
* Blog
* Cyble Partner Network (CPN)
* Press
* Responsible Disclosure
* Knowledge Hub
* Sitemap
PRODUCTS
Main Menu
* AmIBreached
* Cyble Vision
* Cyble Hawk
* Cyble Odin
* The Cyber Express
SOLUTIONS
Main Menu
* Attack Surface Management
* Brand Intelligence
* Threat Intelligence Platform
* Dark Web Monitoring
* Takedown and Disruption
* Vulnerability Management
* Third-Party Risk Management (TPRM)
* Physical Threat Intelligence
* Executive Monitoring
* Cloud Security Posture Management (CSPM)
PRIVACY POLICY
Main Menu
* AmIBreached
* Cyble Vision
* Cyble Trust Portal
SCHEDULE A PERSONALIZED DEMO TO UNCOVER THREATS THAT NO ONE TELLS YOU
Book a Demo
© 2024. Cyble Inc.(#1 Threat Intelligence Platform Company). All Rights Reserved
Made with from Cupertino
Twitter Linkedin Youtube
Request a demo
Upcoming Events
Research Reports
Talk To Sales
START TYPING AND PRESS ENTER TO SEARCH
Begin Search...
Scroll to Top
DISCOVER MORE FROM CYBLE
Subscribe now to keep reading and get access to the full archive.
Type your email…
Subscribe
Continue reading
Loading Comments...
Write a Comment...
Email Name Website
We use cookies to ensure that we give you the best experience on our website. If
you continue to use this site we will assume that you are happy with it.Ok
Stay ahead in Cybersecurity with Cyble Research. You can unsubscribe at any
time.
AllowCancel
×
We Value Your Privacy
Settings
NextRoll, Inc. ("NextRoll") and our 19 advertising partners use cookies and
similar technologies on this site and use personal data (e.g., your IP address).
If you consent, the cookies, device identifiers, or other information can be
stored or accessed on your device for the purposes described below. You can
click "Allow All" or "Decline All" or click Settings above to customise your
consent regarding the purposes and features for which your personal data will be
processed and/or the partners with whom you will share personal data.
NextRoll and our advertising partners process personal data to: ● Store and/or
access information on a device; ● Create a personalised content profile; ●
Select personalised content; ● Personalised advertising, advertising
measurement, audience research and services development; ● Services development.
For some of the purposes above, our advertising partners: ● Use precise
geolocation data. Some of our partners rely on their legitimate business
interests to process personal data. View our advertising partners if you wish to
provide or deny consent for specific partners, review the purposes each partner
believes they have a legitimate interest for, and object to such processing.
If you select Decline All, you will still be able to view content on this site
and you will still receive advertising, but the advertising will not be tailored
for you. You may change your setting whenever you see the Manage consent
preferences on this site.
Decline All
Allow All
Manage consent preferences