German Regulator Warns Of Malware That Can Wipe Banking And Crypto Accounts Clean

German finance regulator BaFin has warned consumers about Godfather, a malware capable of wiping banking and crypto accounts clean by collecting user data.

German financial authorities have so far raised the alarm on the increasing spread of the malware, which is also notorious for targeting 110 cryptocurrency exchange platforms and 94 crypto wallet apps.

The malware attacks users by showing fake websites and generating login screens when the victims try to get into the site of legitimate banking and cryptocurrency apps, according to BaFin. The malware then steals victims' login credentials.

"With this data, the cyber criminals may be able to gain access to consumers' accounts and wallets," BaFin said, as per Google's translation of the finance regulator's statement released Monday.

Once on the device, Godfather disguises itself as Google Protect, a standard tool available on all Android devices, and emulates scanning the device, which is intended to gain access to the Accessibility Service.

Once the victim approves the request, Godfather can grant itself all permissions needed to execute malicious operations, including SMS and text notifications, contacts, screen recording, making calls, reading device status and writing to external storage.

The executor also abuses the Accessibility Service so users will not have the ability to remove the trojan and further allow them to process commands, steal contents of PIN and password fields and exfiltrate Google Authenticator one-time passwords (OTPs).

The Android banking malware was first discovered by Group-IB analysts, who think it is the heir of Anubis, a widely used banking trojan that eventually fell out of use because it could not bypass Android's updates.

It was ThreatFabric that first discovered Godfather in March 2021, but the trojan has evolved through code upgrades and massive improvements since then.

Security researchers posited that the authors of Godfather could be Russian speaking, possibly based in the Commonwealth Independent States (CIS) region, because they noticed that the trojan is configured to check the system language, and if it is set to either Russian, Armenian, Belarusian, Tajik, Uzbek, Kyrgyz, Azerbaijan or Moldovan, the malware stops operating.

The banking malware targeted over 400 international financial companies between June 2021 and October 2022, Group-IB reportedly said, noting that "banking applications in the United States, Turkey, Spain, Canada, France, Germany and the United Kingdom have been the most targeted by Godfather."

The team added, "An analysis of the Trojan's network infrastructure revealed a domain that contains the C&C address of an Android application. Group-IB analysts believe that one of the ways that #Godfather is distributed via decoy applications hosted on GooglePlay."