Technical analysis of Godfather android malware
بسم الله الرحمن الرحيم
FreePalestine
Introduction
Godfather is a malware that targets Android devices. It was first discovered in 2020 and is known for its sophisticated and aggressive behavior. The malware is designed to steal sensitive information such as banking credentials, passwords, and other personal data from infected devices.
The Godfather Android banking malware is a threat to users in 16 countries, as it has been designed to steal account credentials from over 400 online banking sites and cryptocurrency exchanges. It accomplishes this by disguising itself as a login screen, overlaying the login forums of banking and cryptocurrency exchange apps.
Anti-emulator
After installing The malware on the device, it checks the device if it’s an emulator or not. If the malware is installed on the emulator, the malware will not run its malicious functions.
The method retrun is boolean. When the malware checks for the emulator exitance, the return is 0 when there’s no emulator or the return is 1 when there’s an emulator
Collect vectim’s device info
The malware will collect information about the device that’s infected and send the collected information to the C2 server. The information which will be sent to the C2 server such as applist which will collect all the applications installed on the device, ag to get the user agent, sim to get the network operator name, phone to get the phone number of the device, model, and ver of the device.
USSD
This method can make the malware transfers meoney using money transfers by making USSD (Unstructured Supplementary Service Data) calls without even using the dialer user interface.
When the malware communicate withe C2 server and the response from the C2 server contains startUSSD command, the malware will start this method to transfer money using USSD.
Call forwarding
The malware has the ability to forward incomming calls. This is used to bypass the two factor authintication 2FA.
When the malware communicate withe C2 server and the response from the C2 server contains startforward command, the malware will start this method to start call forwarding.
Push notifications
The malware will push fake notifications as if the notification came from ligitmate application. When the user opens the fake notifications, this opens a fake Web page and the user may enter his/her inforamtions such as username, email, or password.
When the malware communicate withe C2 server and the response from the C2 server contains startPush command, the malware will start this method to start pushing fake notifications.
Smishing
The malware will send message which contains malicous URLs to download malicous applications to victim’s contacts. This message is received from the C2 server and then the malware will send it to all contacts.
When the malware communicate withe C2 server and the response from the C2 server contains BookSMS command, the malware will start this method to start sending SMSs to the victim’s contacts.
Steal SMSs
The malware will collect the SMSs on the victim’s device and send the data to the C2 server. This is used to bypass the two factor authintication 2FA.
When the malware communicate withe C2 server and the response from the C2 server contains sentSMS command, the malware will start this method to start sending the SMSs to the C2 server.
Record the screen
The malware will record a video of the screen of the victim’s device then sends the video to the C2 server. This technique is used to steal sensitive data as the same as overlay attack. When the user opens a targeted app, the malware send to the C2 server that the user opened a targeted app. The C2 server sends a command to start recording the screen.
VNC
VNC, which stands for Virtual Network Computing, is a protocol for remote control of computers. VNC can be used by the malware to gain remote control over an infected device, allowing the attacker to perform various malicious activities.
For example, a VNC-based Android malware might allow an attacker to remotely access the device’s screen, camera, microphone, and other resources, allowing them to steal sensitive information, carry out phishing attacks, or monitor the user’s activities. The malware may also use the VNC connection to install additional malicious software on the device, making it part of a larger network of compromised devices (known as a botnet).
settings_port: The value of the port is 5900.
settings_password: the value of the password is 123.
user: the value of the user is bluetooth_name.
vnc_host: the value of the host is 5500.
The settings_port, settings_password values are saved in the Shared Preferences.
Overlay attack
When the user opens a targeted app, the malware displays a fake or malicious overlay on top of the active window of the targeted app. The opened malicious window is the same as the legitimate app. This allows the attacker to steal sensitive information, such as login credentials, credit card numbers, or other sensitive data, by tricking the user into entering it into the overlay.
Start/Kill the malware
The C2 server sends to the malware to start or terminate itself.
Cache cleaner
The malware will clean the cache of an app. The malware will send cachecleaner command from the C2 server and app name in the command.
Communications
The malware will get the C2 server URL from description of a Telegram channel. The malware will send an HTTP reguest To https://t.me/varezotukomirza to get the encrypted C2 server zH7cPW3ZEHj5SDEKxFtXcoMXMJmMGlMGCH978whkdfQ. The C2 server is encrypted using Blowfish algorithm with ECB_MODE and ABC as a key and encoded using Base64.
When we decrypt The C2 server:
-
Decoded the
Base64, then -
Decrypt the
blowfishwithECB_MODEusingABCas a key
Thanks to Witold Precikowski for helping to decrypt the C2 server. We use this script to decrypt the encrypted C2 server obtained form the Telegram channel.
from Crypto.Cipher import Blowfish
import base64
bs = Blowfish.block_size
key = b'ABC'
data = 'zH7cPW3ZEHj5SDEKxFtXcoMXMJmMGlMGCH978whkdfQ='
# Base64 decode
ciphertext = base64.b64decode(data)
# Decrypt Blowfish in ECB mode
cipher = Blowfish.new(key, Blowfish.MODE_ECB)
msg = cipher.decrypt(ciphertext)
last_byte = msg[-1]
msg = msg[:- (last_byte if type(last_byte) is int else ord(last_byte))]
print(msg)
The decrypted C2 server will be https://kalopterbomrassa.shop/.
After the malware gets the C2 server the communication between the C2 server and the malware will be decrypted using AES/CBC/NoPadding with fedcba9876543210 as IV and 0123456789abcdef as a key.
Special thanks to Witold Precikowski, Lasha kh., and Re-ind for their continuous help and support.
IoCs
App name: MYT Müzik
Package name: com.expressvpn.vpn
Sha256: 138551cd967622832f8a816ea1697a5d08ee66c379d32d8a6bd7fca9fdeaecc4
Telegram channel: https://t.me/varezotukomirza
C2 server: https://kalopterbomrassa.shop/
Yara rule
rule Godgather {
meta:
author = "@muha2xmad"
date = "2023-02-09"
description = "Godfather android malware"
version = "1.0"
strings:
$str00 = "main_wang" nocase
$str01 = "#21#" nocase
$str02 = "config" nocase
$str03 = "godfather" nocase
$str04 = "fafa.php" nocase
$str05 = "POPTR" nocase
$str06 = "patara.php" nocase
condition:
uint32be(0) == 0x504B0304 // APK file signature
and ( all of ($str*))
}
Article quote
من نبتَ لحمُه من ماء البِرَك كيف يستسيغُ ماء زمزم
