We now know the name of the successor to the banking trojan Anubis, this malware which had targeted nearly 200 banking applications on Android. According to Group-IB, the Godfather malware, which appeared in the summer of 2021, seems to be indeed a modernized version of this old Trojan horse, which has become obsolete thanks to the efforts of publishers to counter it.
400 targeted financial services
A successor to be taken seriously. Also according to the company of Russian origin, now based in Singapore, the Godfather malware targeted in 18 months around 400 financial services, including 215 banks and 204 service platforms for cryptocurrencies. Both malware, Group-IB explains, share a common code base. However, this does not confirm that the developers of the two Trojans are the same.
The source code of Anubis has in fact already been accessible since 2019. As noted by Trend Micro, Anubis already has several pivots to its credit, from cyber espionage to the theft of banking information, via ransomware. The two malwares finally differ in their communication protocols with their command and control servers.
According to the Cyble company, to reach its targets, the Godfather malware hides in particular behind a fake Turkish music application. Anubis, for its part, spread by hiding behind innocuous applications such as a currency converter.
Extended Features
Once launched, the malware mimics Google Protect, a dedicated threat detection app, even running a fake scan of the device, before quietly installing itself in the background. Quite typically, the malware then targets usernames and passwords.
It is thus capable of recording keystrokes, screenshots, extracting contacts and SMS or launching fake notifications. The malware tricks its infected hosts by overlaying fake login forms on targeted banking and cryptocurrency apps, actually leading its victims to phishing pages.
However, the Trojan is configured to stop if the phone’s language is set to Russian or eight other languages of countries close to Russia. Suggesting that the developers are Russian speakers or that they live, at the very least, in a country of the Commonwealth of Independent States (CIS).