Cyble researchers have identified a new stealthier variant of the GodFather malware that uses native code and automated actions to target as many as 500 banking and cryptocurrency apps.
“The latest version of the GodFather malware shows how dangerous and adaptable mobile threats have become,” the Cyble researchers wrote. “By moving to native code and using fewer permissions, the attackers have made GodFather harder to analyze and better at stealing sensitive information from banking and cryptocurrency apps.”
GodFather Malware Expands Targets to Include Japan, Singapore
The Cyble Research and Intelligence Labs (CRIL) researchers noted that the infostealer has expanded its target countries from the UK, U.S., Turkey, Spain and Italy to add Japan, Singapore, Greece and Azerbaijan.
The previous Java code implementation has moved to native code for its malicious activities, and the malware now relies on limited permissions, “relying heavily on Accessibility services to capture credentials from targeted applications,” the researchers said.
Commands for USSD and SMS operations have been dropped from the latest version, and the malware lacks permission to collect or send SMS messages from infected devices. Instead, newly added commands focus primarily on automating actions on infected devices.
The new GodFather malware commands “enable the malware to automate gestures on infected devices, mimicking user actions,” the CRIL blog said.
“With its new automated actions and broader targeting of apps in more countries, this malware poses a growing risk to users worldwide,” Cyble said.
Overlay Attack Replaced by Fake Login URL
In one interesting twist, instead of a traditional overlay attack, the malware no longer loads the legitimate application and instead activates itself and loads a phishing page to steal banking credentials.
“When the user tries to interact with the target application, the malware closes the genuine application,” the researchers said. “Instead, it loads a fake banking or crypto login URL into the WebView or displays a blank screen.”
It constructs the injection URL using the command and control (C&C) server akozamora[.]top and appends the endpoint rx/f.php?f= along with the device name, package name and default language before loading the assembled URL in the WebView.
New GodFather Malware Variant Found on Phishing Site
The researchers found the new malware variant after discovering a phishing site, mygov-au[.]app, that spoofed the official MyGov website of the Australian Government. “Upon further analysis, this site was found to be distributing a suspicious APK file linked to the GodFather Malware, known for its ability to steal banking application credentials,” the researchers said.
That application, MyGov.apk, communicates with the URL az-inatv[.]com. That site hosts an open directory containing a file named counters.zip that tracked infected devices and included a list of IP addresses. The directory also included a page labeled “down” that hosted another APK file called lnat Tv Pro 2024.apk, which the researchers identified as the GodFather Malware.
“While the MyGov application collected this data, we suspect the TA may leverage this visitor information to identify potential victim counts and later use the same website to distribute the GodFather malware,” Cyble said.
The researchers recommended following good security practices, such as only installing apps from official app stores like the Google Play Store or the iOS App Store, keeping devices and apps updated, and using antivirus, strong passwords, biometrics and multi-factor authentication.
The full blog also includes MITRE ATT&CK techniques and indicators of compromise (IoC).
