Cyble-Godfather-Malware-Android-targets-European-Users

GodFather Malware Under the Lens

Android Malware Targeting Banking Users Across Europe

During our routine Open-Source Intelligence (OSINT) research, Cyble Research Labs came across a Twitter post wherein researchers mention an Android bankbot named GodFather with the name apkversion1.1.5.43 and an icon similar to the default Settings app.

We found notable similarities with Cereberus and Medusa banking trojans upon analyzing the malware sample. GodFather malware acts on the commands from Threat Actor’s (TA’s) Command & Control (C&C) server to steal sensitive information from the victim’s device.

Upon successful execution, the malware can perform malicious activities such as transferring money, getting device information such as phone number, installed app list, battery info, etc.

By further abusing the permissions on the affected device, the malware can also steal SMSs, control device screen using VNC, forward calls, and open URLs without the user’s knowledge.

Technical Analysis

APK Metadata Information

  • App Name:  apkversion1.1.5.43
  • Package Name: com.rduzmauwns.jieliysagr
  • SHA256 Hash: 0b72c22517fdefd4cf0466d8d4c634ca73b7667d378be688efe131af4ac3aed8

Figure 1 shows the metadata information of an application.

Figure 1 – App Metadata Information

The figure below shows the application icon and name displayed on the Android device.

Figure 2 – App Icon and Name

Manifest Description

The malware requests users for 23 different permissions, out of which it abuses 11. These dangerous permissions are listed below.

PermissionsDescription
Read_SMSAccess SMSs from the victim’s device.
RECEIVE_SMSIntercept SMSs received on the victim’s device
READ_CONTACTSAccess phone contacts
READ_PHONE_STATEAllows access to phone state, including the current cellular network information, the phone number and the serial number of the phone, the status of any ongoing calls, and a list of any Phone Accounts registered on the device.
RECORD_AUDIOAllows the app to record audio with the microphone, which attackers can potentially misuse.
SEND_SMSAllows an application to send SMS messages.
CALL_PHONEAllows an application to initiate a phone call without going through the dialer user interface for the user to confirm the call.
WRITE_EXTERNAL_STORAGEAllows the app to write or delete files in the device’s external storage
WRITE_SMSAllows the app to modify or delete SMSs
DISABLE_KEYGUARDAllows the app to disable the keylock and any associated password security
BIND_ACCESSIBILITY_SERVICEUsed for Accessibility Service

We observed a defined launcher activity in the malicious app’s manifest file, which loads the application’s first screen, as shown below.

Figure 3 Launcher Activity

Source Code Review

During our analysis, we observed that the malware initially requests the victims to enable Accessibility, and then it hides its icon from the Android device’s screen.

The malware uses the code snippet shown in the below image to hide its icon from the device screen.

Figure 4 – Code to Hide Icon

The malware calls the SendNewUser() method to get the victim’s device details and post them to the TA’s C&C server, as shown in Figure 5.

Figure 5 – Code to Get New Victim’s Info

The malware can perform money transfers by making USSD (Unstructured Supplementary Service Data) calls without using the dialer user interface, as shown in the below code snippet.

Figure 6 – Code to Transfer Money through USSD

The malware also uses the method SmsSender() to send multi-part text-based SMSs, as shown below. This is done to bypass character limitations while sending SMSs.

Figure 7 – Code to Send SMS

The below code snippet represents the malware’s ability to steal SMSs present in the victim’s device.

Figure 8 – Code to Steal Text SMSs

The malware uses the method callForward() – which forwards the victim’s incoming calls to a number provided by TAs C&C server, as shown in the below figure.

Figure 9 – Code to Forwarding Calls

The method linkopen() provides the feature to the malware to open URLs in the device browser without the user’s intervention, as shown in Figure 10.

Figure 10 – Code to Open URL in Browser

Figure 11 demonstrates the code that illustrates the malware’s ability to steal application key logs.

Figure 11 – Code to Steal Application Keylogs

The malware also uses VNC Viewer to remotely view/control the screens of an infected device, as shown below.

Figure 12 – Uses VNC Viewer to Control Device Screen

The malware fetches the C&C URL from the Telegram channel hxxps://t[.]me/dobrynyanikitichsobre, which will send the sensitive data from the victim’s device as shown in Figure 13. While analysing the sample, we could not observe any C&C communication activity as the malware failed to get the C&C URL from the Telegram channel.

Figure 13 – Gets C&C URL from Telegram Channel

The malware can also terminate itself whenever it gets the corresponding commands from the C&C server.

Figure 14 – Code to Self-Terminate

Below, we have listed the commands used by the TAs to control infected devices:

CommandDescription
startUSSDTo Transfer money using USSD
sentSMSTo Send SMS to a particular number
startAppTo Launch the Application Activity
getSMSTo Get SMSs Present in the Device
startforwardTo forwarding Calls
linkopenTo Open URL in Browser
killbotTo Kill Itself

Conclusion

Banking threats are increasing with every passing day and growing in sophistication. The GodFather malware variant is one such example. The malicious code present in the malware gives it the capability to steal sensitive information from the compromised device.

There is also the additional threat of TAs using this sensitive data to commit financial fraud and further propagate the malware to other devices.

Our Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:  

How to prevent malware infection?

  • Download and install software only from official app stores like Google Play Store or the iOS App Store.
  • Use a reputed anti-virus and internet security software package on your connected devices, such as PCs, laptops, and mobile devices.
  • Use strong passwords and enforce multi-factor authentication wherever possible.
  • Enable biometric security features such as fingerprint or facial recognition for unlocking the mobile device where possible.
  • Be wary of opening any links received via SMS or emails delivered to your phone.
  • Ensure that Google Play Protect is enabled on Android devices.
  • Be careful while enabling any permissions.
  • Keep your devices, operating systems, and applications updated.

How to identify whether you are infected?

  • Regularly check the Mobile/Wi-Fi data usage of applications installed in mobile devices.
  • Keep an eye on the alerts provided by Anti-viruses and Android OS and take necessary actions accordingly.

What to do when you are infected?

  • Disable Wi-Fi/Mobile data and remove SIM card – as in some cases, the malware can re-enable the Mobile Data.
  • Perform a factory reset.
  • Remove the application in case a factory reset is not possible.
  • Take a backup of personal media Files (excluding mobile applications) and perform a device reset.

What to do in case of any fraudulent transaction?

  • In case of a fraudulent transaction, immediately report it to the concerned bank.

What should banks do to protect their customers?

  • Banks and other financial entities should educate customers on safeguarding themselves from malware attacks via telephone, SMSs, or emails. 

MITRE ATT&CK® Techniques

TacticTechnique IDTechnique Name
Initial AccessT1476Deliver Malicious App via Other Mean.
Initial AccessT1444Masquerade as Legitimate Application
ExecutionT1575Native Code
CollectionT1412Capture SMS Messages
Command and ControlT1436Commonly Used Por

Indicators of Compromise (IOCs)  

IndicatorsIndicator TypeDescription
0b72c22517fdefd4cf0466d8d4c634ca73b7667d378be688efe131af4ac3aed8SHA256GodFather APK
3fa48a36d22d848ad111b246ca94fa58088dbb7aSHA1GodFather APK
ec9f857999b4fc3dd007fdb786b7a8d1MD5GodFather APK
c79857015dbf220111e7c5f47cf20a656741a9380cc0faecd486b517648eb199SHA256GodFather APK
2b3b78d3a62952dd88fc4da4688928ec6013af71SHA1GodFather APK
d7118d3d6bf476d046305be1e1f9b388MD5GodFather APK
hxxps://t[.]me/dobrynyanikitichsobreURLTelegram Channel Used to Fetch URL

Scroll to Top