Godfather

GodFather Malware Returns Targeting Banking Users

Android Malware Mimics MYT Müzik App to Target Turkish Users

GodFather is a notorious Android banking trojan known for targeting banking users, mostly in European countries. Cyble Research & Intelligence Labs (CRIL) blogged about this GodFather android malware in March 2022 and explained how it targeted android banking users worldwide. Recently, CRIL identified several GodFather Android samples masquerading as MYT application. This application has the name MYT Müzik which is written in the Turkish language. Thus, we suspect this application targets Android users in Turkey.

The GodFather samples analyzed are encrypted using custom encryption techniques to evade detection by the anti-virus products. Upon installing this application on our testing device, we observed that it uses an icon and name similar to a legitimate application named MYT Music which is hosted on the Google Play Store with more than 10 million downloads. The image below shows the malicious application’s icon and name on the Android device’s screen.

Figure 1 – App Icon and Name Displayed on the Device Screen

The GodFather Android malware, after successful installation on the victim’s device, steals sensitive data such as SMSs, basic device details, including installed apps data, and the device’s phone number. Apart from these, it can also control the device screen using VNC, forwarding incoming calls of the victim’s device and injecting banking URLs.

Technical Analysis

APK Metadata Information

  • App Name: MYT Müzik
  • Package Name: com.expressvpn.vpn
  • SHA256 Hash: 138551cd967622832f8a816ea1697a5d08ee66c379d32d8a6bd7fca9fdeaecc4

Figure 2 shows the metadata information of an application.

Figure 2 – App Metadata Information

Manifest Description

The malware requests 23 different permissions from the user, out of which it abuses at least 6. These dangerous permissions are listed below:

PermissionsDescription
READ_CONTACTSAccess phone contacts
READ_PHONE_STATEAllows access to phone state, including the current cellular network information, the phone number and the serial number of the phone, the status of any ongoing calls, and a list of any Phone Accounts registered on the device.
CALL_PHONEAllows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call.
WRITE_EXTERNAL_STORAGEAllows the app to write or delete files in the device’s external storage
DISABLE_KEYGUARDAllows the app to disable the keylock and any associated password security
BIND_ACCESSIBILITY_SERVICEUsed for Accessibility Service

Source Code Review

The malicious application uses the code below to hide/unhide its icon from the device screen.

Figure 3 – Code to Hide/Unhide Icon

The below image shows the code snippet used by the malware for collecting Victim’s device details, such as device model info, installed apps list, etc., and uploading them to the TAs’ server.

Figure 4 – Code to Collect Basic Device Info

The malware can do money transfers by making USSD (Unstructured Supplementary Service Data) calls without using the dialer user interface, as shown in the figure below.

Figure 5 – Code to Transfer Money using USSD

The malware creates an overlay window in the OnAccessibilityEvent method and injects HTML phishing pages when it receives sunset_cmd from the TAs C&Cserver, as shown in the below image.

Figure 6 – Code to Inject HTML Pages

Upon receiving the command from the C&C server, the malware forwards Victim’s incoming calls to a number provided by the TAs’.

Figure 7 – Code to Forward Victim’s Incoming Calls

The image shown below contains the code through which the malware can steal application key logs.

Figure 8 – Code to Steal Key Logs

The malware uses the below-shown code to view/control the victim device’s screen using a VNC viewer.

Figure 9 – Code to Monitor Victim Device’s Screen

The malicious application gets the C&C server URL from a telegram channel: hxxps://t[.]me/varezotukomirza, through which it communicates with the TAs to get the commands and sends the stolen data from the device.

Figure 10 – Malware Gets C&C URL from Telegram Channel

The malware terminates itself after receiving a “killbot” command from TAs C&C server. The below-shown code snippet depicts the same.

Figure 11 – Code to Terminate Itself

The malware uses the below commands to extract sensitive information from the user’s device.

Command-List
startUSSD
sentSMS
startApp
startforward
killbot
send_all_permission
vnc_open
keylog_active
unlock_screen
sunset
startscreen

Conclusion

GodFather Android Banking trojan was seen targeting European users at the beginning of the year 2022. Now, it comes back with advanced encryption techniques used to obfuscate its code. This shows the TA’s ability to continuously enhance their techniques to target people with avoiding detections from Anti-virus programs.

As per the research, such malware is distributed via sources other than Google Play Store. As a result, practicing basic cyber hygiene across mobile devices and online banking applications effectively prevents such malware from compromising your devices.

Our Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:  

How to prevent malware infection?

  • Download and install software only from official app stores like Google Play Store or the iOS App Store.
  • Use a reputed anti-virus and internet security software package on your connected devices, such as PCs, laptops, and mobile devices.
  • Use strong passwords and enforce multi-factor authentication wherever possible.
  • Enable biometric security features such as fingerprint or facial recognition for unlocking the mobile device where possible.
  • Be wary of opening any links received via SMS or emails delivered to your phone.
  • Ensure that Google Play Protect is enabled on Android devices.
  • Be careful while enabling any permissions.
  • Keep your devices, operating systems, and applications updated.

How to identify whether you are infected?

  • Regularly check the Mobile/Wi-Fi data usage of applications installed on mobile devices.
  • Keep an eye on anti-viruses and Android OS alerts and take necessary actions accordingly.

What to do when you are infected?t

  • Disable Wi-Fi/Mobile data and remove SIM cards – as in some cases, the malware can re-enable the Mobile Data.
  • Perform a factory reset.
  • Remove the application in case a factory reset is not possible.
  • Take a backup of personal media Files (excluding mobile applications) and perform a device reset.

What to do in case of any fraudulent transaction?

  • In case of a fraudulent transaction, immediately report it to the concerned bank.

What should banks do to protect their customers?

  • Banks and other financial entities should educate customers on safeguarding themselves from malware attacks via telephone, SMS, or emails.

MITRE ATT&CK® Techniques

TacticTechnique IDTechnique Name
Initial AccessT1476Deliver Malicious App via Other Means.
Initial AccessT1444Masquerade as a Legitimate Application
ExecutionT1575Native Code
CollectionT1513Screen Capture
Command and ControlT1436
T1616
Commonly Used Port
Call Control

Indicators of Compromise (IOCs)

IndicatorsIndicator TypeDescription
40a099d574cd588903d9cf8701da8d006e58be406049d26a61cc291720270b60 da021a501372f8de9a1d2c11802ec452f218a1c3fd39356151acae076c3304ff 76cd894001f01f56299079b7eace162947b51b8b3a587c26709613e42279b850 e6fb245a7dd02af549e2d62f42413dcacda0fb847ee84d52b0f69c8219f3e81d e67b8b78550396f542ded77d2118487ac1afb0d4ac6b70774889bbb4e6d88265 b58b9a2ba58813ad4fbf2f6349a522f9a49bf8b3190237eb9c43c1d085f4497e 3f7eae6cc61fdc2553a2acdede69be84945a7a724b632dea3ff8466f74b56249 8d07967b9253951b52c631383a3dde8513572b3c996c338819f4e12a7a60bf23 7d9d89371f0409660136ad7a238e345b140b9359fae186814ec9572996f373a6 536e9a5b341eb6e0708e58f65679232513b2896674b8b2615ff93c58fe1dbcf9 50df8248535002052622f00b691bd60ad735e16e685a9d7b95a0850dc4229ad3 363eb5d89b43946a4af03e2399e47125bec822729d764b08004eb492212d51db 138551cd967622832f8a816ea1697a5d08ee66c379d32d8a6bd7fca9fdeaecc4 0932a99030a80786f8215e5cb5c879708848bd62141ff4672e23823ddc562ac7 06b0bebc1422a969ef10a0f13fb253b0697d079d7126551370b9757da6564c9d d981bccfde804bb662e4acb1e7a97298b4a081c02b498a01abfeec74a60b8fdc 61e67d1ce1577d5a08d0ae970ac20fa5f0b8db3660b6c6c83189130be3039675 93a8d9d57a816b1c0401660256db8e37d29a92a43cd7d9668f9d05db820aa572 896301f184ff67a0fa9570e4275eafe66ab907636e381b86b87d28532aea0c82 55183db5a190f08ce9e1589b2b7186ce64523c85c2c8b2ea03c52315b529b451 32c7ef93f3329709bf38b7d6ea5f076fb8bd86d36785ed811d99efcb98f8ae58SHA256Malicious APK
hxxps://t[.]me/varezotukomirzaURLTelegram Channel Hosting Encrypted C&C Server

Recent Blogs

BATLoader-RATs-Stealers-OneNote

Cyble analyzes BATLoader – A sophisticated loader being utilized by Threat Actors to deliver several malware families.

Read More »
Qakbot-Microsoft-OneNote

Cyble Research & Intelligence Labs analyzes new strategies deployed by Qakbot to infect users via Microsoft OneNote.

Read More »
Scroll to Top