Godfather Android Banking Trojan Technical Analysis

This is the open version of Godfather Android Banking Trojan Technical Analysis. If you want to download it as a PDF click here.

Executive Summary

Godfather stands out among malicious Android software as a significant threat. This malware targets financial and personal information, endangering users’ security. Key characteristics of Godfather include:

Objective and Threat: Godfather aims to seize users’ financial account information, identity data, and personal details. It can jeopardize users’ security, leading to financial losses and identity theft.
Operational Mechanism: Utilizing keylogging, Godfather monitors users’ keystrokes, steals entered data, and tracks user interactions.
Distribution Methods: This malware often spreads through fake applications or malicious websites. It increases infection risks by luring users into traps with deceptive content.
Data Transmission: Godfather can transmit captured data to a command and control server.

Before the Analysis

Godfather Trojan Activity Targeting Financial Sector Detected

The Group-IB Threat Intelligence team detected that the Godfather Android banking trojan targeted more than 400 international financial companies between June 2021 and October 2022. Half of the targeted financial companies are banks, and the other half are cryptocurrency wallets and exchanges. The Godfather’s targets include 49 US-based companies, 31 Turkish-based companies, and 30 Spanish-based companies. Financial service providers in Canada, France, Germany, England, Italy, and Poland are among the hardest-hit companies. [Read More]

godftaher trojan targeting USA and Turkey financial companies — Figure 1: Fake Web Pages Imitating Mobile Banking Applications Serving in Turkey

Some activities that Godfather trojan software performs on infected systems;

Recording the device’s screen
Creating VNC connections
Capturing keystrokes (keylogging)
Leaking push notifications and SMS messages (to bypass 2FA)
Send SMS messages
Forward calls
Execute USSD requests
Start proxy servers
Enabling silent mode
Establishing WebSocket connections

In the last 9 months, Godfather Trojan activities have been activated again, especially in Turkey. This time, attackers mainly have used music apps to infect the victims of the android trojan, Godfather.

infected music apps by godfather android trojan — Image Source: twitter.com/0x6rss

Technical Analysis

Godfather malware requires the following permissions.

Permission List

android.permission.ACCESS_NETWORK_STATE
android.permission.ACCESS_WIFI_STATE
android.permission.BIND_ACCESSIBILITY_SERVICE
android.permission.FOREGROUND_SERVICE
android.permission.INTERNET
android.permission.POST_NOTIFICATIONS
android.permission.QUERY_ALL_PACKAGES
android.permission.READ_PHONE_STATE
android.permission.READ_PRIVILEGED_PHONE_STATE
android.permission.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS
android.permission.WAKE_LOCK

With the permissions given above, the malware in question is able to perform the following actions:

Internet access
Ability to use Accessibility service
Installing application
Access notifications
Running as a foreground service

Upon execution, the malware requests activation of its accessibility service under the name of “Müzik”. It is observed that the malware uses accessibility rights to press buttons on the screen, read user inputs such as user clicks, run applications, and monitor what users have typed in a certain text field.

godfather accesibility server — Figure 2: Accessibility service request

Anti-Analysis Techniques

The malware uses the encrypted strings at runtime by decrypting them using the blowfish algorithm.(secret key: 67d45d2f64)

godfather android trojan accessibility request — Figure 3: Accessibility service request

It gets the command control address with the encrypted string in the description of a telegram account. This method is also often used by other malware.

godfather telegram decription — Figure 4: Telegram Description

Again, it uses blowfish to decrypt this encrypted string. (key:ABC, IV:abcdefgh)

extracted malware payload in stealc malware — Figure 5: Jump to the extracted malware payload

Application Runtime

Godfather malware retrieves the list of target applications from the command and control server.

targeted apps by godfather android trojan — Figure 6: Targeted Apps

Unlike other malware (eg, cerberus, hook, ermac), the malware steals information by keylogging instead of using an overlay attack.

godfather's keylogger feature — Figure 7: Keylogger

godfather keylogger logs — Figure 8: Keylogger output

Targeted Applications

com[.]tmobtech.halkbank
com[.]vakifbank.mobile
com[.]ziraat.ziraatmobil
com[.]akbank.android.apps.akbankdirekt
com[.]anadolubank.android
com[.]fibabanka.Fibabanka.mobile
tr.com[.]sekerbilisim.mbank
com[.]teb
com[.]teb.kurumsal
com[.]pozitron.iscep
com[.]ykb.android
tr[.]com[.]abank.dijital
com[.]a2a.android.burgan
com[.]denizbank.mobildeniz
com[.]garanti.cepsubesi
com[.]ingbanktr.ingmobil
com[.]magiclick.odeabank
com[.]finansbank.mobile.cepsube
finansbank[.]enpara
finansbank[.]enpara.sirketim
com[.]kuveytturk.mobil
com[.]ziraatkatilim.mobilebanking
com[.]tfkb
com[.]albarakaapp
com[.]aktifbank.nkolay
com[.]fibabanka.mobile
com[.]ininal.wallet
com[.]intertech.mobilemoneytransfer.activity
com[.]isbank.isyerim
com[.]kuveytturk.yourbank
com[.]mobillium.papara
com[.]pttfinans
com[.]turkcell.paycell
com[.]vakifkatilim.mobil
paladyum[.]peppara
tr.com[.]hsbc.hsbcturkey.uk
tr.com[.]param.android

Conclusion

Godfather represents a serious instance of malicious software, carrying risks like financial loss and personal privacy breaches. Users need to enhance their cybersecurity awareness and download from reputable sources.