Crypto and banking apps targeted by ‘Godfather’ malware, warns BaFin

Quick Take

  • BaFin says the GodFather malware has attacked 400 crypto and banking apps.
  • The malware works by stealing login data, including two-factor authentication codes.

Germany’s financial regulator BaFin has warned that crypto and banking mobile apps are being targeted by cybercriminals using the “GodFather” Android malware.

BaFin stated that the malware has so far attacked 400 crypto and banking apps, including platforms operating out of Germany and 15 other countries, Monday’s announcement revealed. This includes 200 banking apps, 100 crypto exchanges, and 94 crypto wallets, according to a report by PCrisk.

Today’s announcement is the latest warning of the growing threat posed by the GodFather malware. GodFather is among a class of Android-based trojans like Gustuff that targets crypto and banking mobile apps. It tricks its victims by displaying fake versions of online crypto exchange and banking websites. Cybercriminals are able to use the malware to steal the login data of victims.

The GodFather malware can also steal text messages from the victim’s smartphone. This makes it possible for cybercriminals to use the malware to bypass two-factor authentication checks.

THE SCOOP

Keep up with the latest news, trends, charts and views on crypto and DeFi with a new biweekly newsletter from The Block's Frank Chaparro

By signing-up you agree to our Terms of Service and Privacy Policy
By signing-up you agree to our Terms of Service and Privacy Policy

Security experts say the malware is able to mimic the Google Protect tool thus allowing it access to Accessibility settings on the victim’s phone. This access also allows the malware to expand its pool of infected apps. It does this by using the phone’s built-in screen capture capabilities to record keystrokes when logging in to apps outside of its list of infected apps.

“It is unclear exactly how the software gets onto the infected end devices of customers,” the BaFin announcement stated. However, security experts say cybercriminals are distributing the malware via trojan-infected apps on the Google Play Store. These apps are fake versions of legitimate apps that come loaded with the trojan.

Android users have been urged to review apps before installing them to avoid such fake apps. Android users have also been advised to turn on Google Play Protect. PCrisk also stated that the malware does not operate on devices that have their languages set to Uzbek, Russian, Azerbaijani, Kazakh, Kyrgyz, Armenian, Tajik, Belarusian, or Moldovan.


© 2023 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.

About Author

Osato is a news reporter at The Block as part of the crypto ecosystems team that focuses on DAO governance, staking, blockchain layers, and DeFi. He was previously a news reporter at Cointelegraph. Based in Lagos, Nigeria, he enjoys crosswords, poker, and attempting to beat his Scrabble high score. Follow him on Twitter at @OsatoNomayo.

Editor

To contact the editor of this story:
Tim Copeland at
[email protected]