In the movie “The Godfather,” Marlon Brando’s character, Vito Corleone, fails to realize the threat posed by a rival named Sollozzo. Corleone, protected only by his inept son Fredo, ends up being ambushed and shot.
There’s a new GodFather in town, a devious malware iteration that has taken direct aim at financial institutions. Institutions that fail to realize the threat and take defensive measures may find that client accounts get hacked and drained.What is GodFather?GodFather is the name of a banking malware program that has recently evolved into a more sophisticated and devious version, and thus has become more dangerous. It hijacks banking apps and allows whoever controls the malware to gain full entry into customer accounts and then withdraw assets. What makes this latest version of the GodFather more dangerous is that it uses a virtual and identical copy of a banking app to trick users. This is an advance over earlier versions that tried to mimic banking apps. What a user sees now is a complete, working copy of the actual app, so it is nearly impossible to tell that a hack is underway.How does GodFather work?GodFather tricks a mobile phone user into installing its software on that person’s device, generally through a fake app, a malicious update, or a phishing link. For example, a user may download an app that looks legitimate and functions exactly like their financial app, but actually contains the GodFather trojan. After installing GodFather’s fake app, the victim might see a message asking the user to grant permission to use all the features. If the user clicks, they are unknowingly allowing the GodFather app full access to their device. GodFather then creates a “virtual space” or sandbox on the device and scans for targeted banking apps. Instead of simply downloading a copy of the user’s banking software, the malware prepares to launch the existing, legitimate app inside this virtual environment. When the customer opens their banking app, GodFather intercepts the action and silently starts the banking app within the sandbox under its total control.When the customer logs into what appears to be their normal banking app, the malware is able to capture login credentials and other sensitive information about the victim. The user is able to continue working on the banking app copy without realizing anything is wrong. Having obtained complete login credentials, the crooks can then log into the user’s account on the legitimate financial institution’s website or app themselves and drain the victim’s assets. Who does GodFather target?GodFather primarily targets users of Android devices by impersonating legitimate apps to steal login credentials and other sensitive information. The current campaign is aimed at nearly 500 apps worldwide, spanning financial institutions, e-commerce platforms, cryptocurrency services, and social media. While larger organizations often draw the most attention, community financial institutions (CFIs) are equally susceptible to these kinds of attacks.How can you protect your customers from GodFather?For starters, keep your cybersecurity defenses current and robust. Work with cybersecurity experts to determine any actions you may need to take in response to GodFather.Since individual banking app users are the primary target, it is important to warn and educate customers about the GodFather malware. This includes sole proprietorships and small businesses that have a designated person who might oversee business finances via a smartphone app. Financial institutions looking to educate customers may find the following Republic Bank notification useful as a reference. Customers should be advised to:
There’s a new GodFather in town, a devious malware iteration that has taken direct aim at financial institutions. Institutions that fail to realize the threat and take defensive measures may find that client accounts get hacked and drained.What is GodFather?GodFather is the name of a banking malware program that has recently evolved into a more sophisticated and devious version, and thus has become more dangerous. It hijacks banking apps and allows whoever controls the malware to gain full entry into customer accounts and then withdraw assets. What makes this latest version of the GodFather more dangerous is that it uses a virtual and identical copy of a banking app to trick users. This is an advance over earlier versions that tried to mimic banking apps. What a user sees now is a complete, working copy of the actual app, so it is nearly impossible to tell that a hack is underway.How does GodFather work?GodFather tricks a mobile phone user into installing its software on that person’s device, generally through a fake app, a malicious update, or a phishing link. For example, a user may download an app that looks legitimate and functions exactly like their financial app, but actually contains the GodFather trojan. After installing GodFather’s fake app, the victim might see a message asking the user to grant permission to use all the features. If the user clicks, they are unknowingly allowing the GodFather app full access to their device. GodFather then creates a “virtual space” or sandbox on the device and scans for targeted banking apps. Instead of simply downloading a copy of the user’s banking software, the malware prepares to launch the existing, legitimate app inside this virtual environment. When the customer opens their banking app, GodFather intercepts the action and silently starts the banking app within the sandbox under its total control.When the customer logs into what appears to be their normal banking app, the malware is able to capture login credentials and other sensitive information about the victim. The user is able to continue working on the banking app copy without realizing anything is wrong. Having obtained complete login credentials, the crooks can then log into the user’s account on the legitimate financial institution’s website or app themselves and drain the victim’s assets. Who does GodFather target?GodFather primarily targets users of Android devices by impersonating legitimate apps to steal login credentials and other sensitive information. The current campaign is aimed at nearly 500 apps worldwide, spanning financial institutions, e-commerce platforms, cryptocurrency services, and social media. While larger organizations often draw the most attention, community financial institutions (CFIs) are equally susceptible to these kinds of attacks.How can you protect your customers from GodFather?For starters, keep your cybersecurity defenses current and robust. Work with cybersecurity experts to determine any actions you may need to take in response to GodFather.Since individual banking app users are the primary target, it is important to warn and educate customers about the GodFather malware. This includes sole proprietorships and small businesses that have a designated person who might oversee business finances via a smartphone app. Financial institutions looking to educate customers may find the following Republic Bank notification useful as a reference. Customers should be advised to:
- Avoid clicking on unsolicited links, even if they appear legitimate.
- Be cautious when apps request extensive permissions, especially after installation.
- Enable multi-factor authentication to add a layer of protection.
- Only download financial apps from official sources such as the Apple App Store or Google Play.
- Report any suspicious activity to their financial institution immediately.
With its ability to mimic legitimate banking apps, GodFather presents a serious risk to customers’ accounts. CFIs should stay alert and communicate proactively to help customers protect themselves against mobile-based threats.
