The Federal Financial Supervisory Authority (Bafin) warns of a new Trojan – this is said to be primarily aimed at login data for bank accounts and crypto apps.

The Federal Financial Supervisory Authority (Bafin) warns of the “Godfather” malware. This is intended to record inputs from well-known banking and crypto apps and then transmit them to criminals. The software is also able to send deceptively real notifications, which usually serve to release transfers and logins. This, according to the warning, would give attackers access to the accounts or wallets of affected persons.

400 banking and crypto apps affected

The Bafin says that “Godfather” is currently focusing on around 400 well-known banking and crypto apps, including popular programs from Germany. It is currently not clear how “Godfather” is spreading and which sources are to be avoided.

Once installed, the malware aims to display fake websites of banks and crypto exchanges. As soon as you log in there, the Trojan is said to forward the entries to third parties.

Following its warning, Bafin only gives general tips on how to protect yourself from attacks on mobile devices in general, but does not go into more detail about “Godfather” and any sources of supply.

The IT trade magazine “Bleeping Computer” makes it clear that apparently only users of Android smartphones are affected. As an example, the report cites a manipulated music app called “MYT Müzik”, the actual version of which has been downloaded more than ten million times from the Google Play Store and is therefore likely to be searched for often.

Android accessibility services serve as a gateway

“Godfather” was discovered by “Group IB”, which published a major report on the Trojan at the end of December. Accordingly, “Godfather” is active in 16 countries, but will discontinue all functions as soon as it is recognized that the victim speaks Russian and has set a corresponding system language. This is a well-known pattern used by ransomware extortionists.

As for how it works, the experts found evidence that the Trojan exploits a Google service called Protect. Actually, Google Play Protect performs a security check before apps are downloaded from the Google Play Store. “Godfather” simulates its function and imitates such a check. The software asks for access to the Android Accessibility Services.

If the release is given, the system gives the Trojan permission to change apps in the interests of accessibility – but uses this to access data through fake websites and deceive users. The experts from “Security Research Labs” warned as early as the end of 2021 that malware on Android devices would prefer to exploit this route.