The second instance of the GodFather Malware targeting banking users by impersonating MYT applications was detected by researchers at Cyble.
Earlier this March, the researchers shared an in-depth report about the malware and how it operates. In this instance, however, the researchers came across another attempt by the ransomware operators targeting users using a bogus version of the famous banking app.
The malware seems prolific in the underground markets and has been reported to target users in European countries. In its latest campaign, the malware poses as an MYT application with some text code linking it to the Turkish language.
According to CRIL, the threat actors might be used in Turkey and continuously targeting Android users in the Republic of Turkey.
In-depth look at the GodFather Malware
According to researchers, the GodFather malware avoids detection of the victim’s devices, and upon further inspection, it was found that it uses unique encryption algorithms to hinder detection.
Once installed on the victim’s device, it impedes detection by anti-virus programs and other security protocols, posing as a legitimate app. Additionally, the app uses an icon and name similar to that of a legitimate app called MYT Music.
Once the potential victim installs the app, the malware starts collecting private data from the smartphone, including but not limited to SMSs, basic device details, including installed app data, and the device’s phone number.
Moreover, since the app uses sensitive permissions, it can also use VNC to control the device’s screen and perform several malicious functions like call forwarding and inserting banking URLs in the victim’s phone browser.
Once installed, the malware requests 23 different permissions from the victim’s device, and six can be detrimental to the device’s safety.
The permission includes reading the contacts of the users, reading the phone state, network type, serial number of the phone, list of accounts registered on the device, dialing or receiving calls without using the OS Dialer, writing or deleting files on the device’s external storage, disable keyboard, or any other password security from the device, and control Accessibility Service.