Full Report
A new version of the Android malware "Godfather" creates isolated virtual environments on mobile devices to steal account data and transactions from legitimate banking apps. [...]
Analysis Summary
# Tool/Technique: Godfather Android Malware
## Overview
Godfather is an Android banking malware that has evolved to use virtualization techniques to hijack banking applications. Its primary goal is to steal user credentials and execute fraudulent financial transactions, often by presenting fake overlays to trick users.
## Technical Details
- Type: Malware family
- Platform: Android
- Capabilities: Credential harvesting via overlay attacks, UI manipulation, execution of commands from C2 (e.g., unlocking the device, navigating apps, triggering payments), use of virtualization.
- First Seen: March 2021
## MITRE ATT&CK Mapping
This summary focuses on observed behaviors. Since the article centers on mobile tactics, the mapping is generally derived from capabilities like input capture and user interaction manipulation.
- **TA0001 - Initial Access**
- T1434 - Develop Capabilities for Exploitation (Implied via deployment mechanisms, likely sideloading/Trojanized apps)
- **TA0005 - Defense Evasion**
- T1551 - Virtualization (Implied use of virtualization to hide processes or bypass security checks)
- **TA0006 - Credential Access**
- T1111 - Input Capture (via overlay attacks for PIN/password entry)
- **TA0007 - Discovery**
- T1428 - Application Discovery (Scanning for specific target banking/crypto apps)
- **TA0008 - Lateral Movement** (Not explicitly detailed, but transaction capability implies moving funds)
- **TA0010 - Command and Control**
- T1429 - Data from Network Shared Drive (Implied data exfiltration)
## Functionality
### Core Capabilities
- **Overlay Attacks:** Displays fake lock screens or update prompts over genuine banking apps to capture user PINs and passwords.
- **Credential Exfiltration:** Collects stolen credentials and sends them to the malware operators.
- **Remote Operations:** Awaits C2 commands (e.g., unlock device, open apps, trigger payments/transfers).
### Advanced Features
- **Virtualization Usage:** The latest evolution incorporates virtualization to enhance its ability to hijack banking apps and potentially evade detection.
- **UI Manipulation:** Can perform automated UI navigation within legitimate applications to facilitate fraudulent transactions without user knowledge.
- **Disguised Activity:** When performing actions, the malware shows the user a fake "update screen" or a black screen to prevent suspicion.
- **Targeting:** Known to target a large number of financial/banking applications (previously 400 apps across 16 countries; later campaign targeted a dozen Turkish bank apps).
## Indicators of Compromise
*Note: Specific hashes, file names, and network indicators were not provided in the source text.*
- File Hashes: [Not provided]
- File Names: [Not provided]
- Registry Keys: [Not applicable/Not provided for Android]
- Network Indicators: Awaiting commands from C2 servers to orchestrate attacks and perform exfiltration.
- Behavioral Indicators: Displaying fake lock screens/overlays during login attempts for banking/crypto apps; bypassing user input security checks; automated navigation within targeted applications.
## Associated Threat Actors
- Threat Actors employing the Godfather malware. (Specific named groups were not detailed in the provided excerpt, but previous analysis mentioned ThreatFabric and Group-IB observing its evolution).
## Detection Methods
- Signature-based detection (Likely identifiable by known Godfather signatures updated to detect virtualization patterns).
- Behavioral detection (Monitoring for overlay creation over trusted financial applications, unexpected UI manipulations, or system calls related to accessibility services or virtualization).
- YARA rules: [Not provided]
## Mitigation Strategies
- Only download applications from the official Google Play Store or from trusted publishers.
- Ensure Google Play Protect is active on the device.
- Scrutinize requested application permissions, especially those related to accessibility services or screen overlay drawing.
- Avoid entering sensitive information (PINs, passwords) when an unexpected screen or overlay appears over a banking application.
## Related Tools/Techniques
- HTML login screen overlays (Used in previous Godfather versions).
- Other Android banking Trojans utilizing overlay and accessibility abuse techniques.