Bafin warns Android users of banking Trojans

The banking Trojan “Godfather” has been circulating on Android devices for some time, attacking banking and crypto apps. Now the Bafin is also warning of the malware.

The one from Singapore reported back in December IT security company Group-IB about the Android Trojan Godfather. Cyber ​​criminals would use the malware to steal login credentials from banks and other financial service providers.

By the time the report was published on December 21, users from more than 400 international destinations had already been affected. Including banks, crypto exchanges and wallets.

In the meantime also warns the Federal Financial Supervisory Authority (Bafin) before the Trojan Godfather. Because he also targeted operators of banking and crypto apps from Germany.

How does the Godfather banking Trojan work?

According to the Bafin, it is unclear how the malware gets onto the devices of consumers. But once the mobile device is infected, the Trojan displays “fake websites from regular banking and crypto apps”.

If users then log in via these pages, the login data is forwarded to the criminals.

But that’s not all. Because the malware is also able to send push notifications. This is also how the codes for two-factor authentication should be understood.

If the cybercriminals then have both elements required for a successful login in hand, they can access the accounts and wallets of the victims.

Banking Trojans are said to be an old acquaintance

According to the IT security company Group-IB, the Trojan Godfather is a well-known banking Trojan. This had previously borne the name Anubis. However, Anubis is outdated “due to Android updates and the efforts of malware detection and prevention providers”.

Group-IB first tracked down Godfather in June 2021. Distribution stopped a year later. The IT security company assumes that the Godfather developers wanted to update the Trojan further.

Godfather’s targets include 49 US-based companies, 31 Turkey-based companies and 30 Spain-based companies. Financial service providers in Canada, France, Germany, the UK, Italy and Poland were also hardest hit.

While Godfather appears to be quite active in Western countries, users in “post-Soviet countries” are spared, according to Group-IB. Because the Trojan can also access the system settings and thus recognize the set language. “This could indicate that Godfather’s developers are Russian-speaking,” Group-IB said.

Bafin: Malware acts in the background

According to Group-IB, the Trojan presumably cheats its way onto end devices through other apps from the Google Play Store. Once downloaded, the app mimics the Google Play Protect security application. This is supposed to protect users from installing malicious applications.

Users should therefore only download apps from the official Play Store and activate Google Play Protect in advance. It can also help to analyze the additional information about the app before downloading it.

Because once a defective app has been installed, the Trojan gains access to the Android operating aids via Play Protect and can thus operate unnoticed in the background. If this is the case, the Trojan can, among other things, record screen shots or forward calls to bypass two-factor authentication.

Also interesting:

Leave a Reply

Your email address will not be published. Required fields are marked *