There are over 1,000 instances of the Godfather mobile banking Trojan being spread in many countries around the world, with a focus on attacking numerous banking applications.
Godfather, a malware discovered in 2022, is a dangerous tool that can capture screens and keystrokes, intercept 2FA calls and texts, perform bank transfers, and more. It has become a popular choice for cybercriminals, particularly in the mobile cybercrime sector. The 2023 "Mobile Banking Heists Report" by Zimperium revealed that Godfather has targeted 237 banking apps in 57 countries. The stolen financial information was sent to at least nine countries, with a focus on Europe and the US.
The success of Godfather's developers has attracted attention, leading them to automatically create new samples for their customers on a large scale to avoid security software interference.
Malware developers for mobile devices are increasingly launching larger campaigns, according to Nico Chiaraviglio, the chief scientist at Zimperium. Chiaraviglio will be discussing this trend, along with other mobile malware trends, at RSAC in May.
In addition to Godfather and other well-known families, Chiaraviglio is monitoring a larger mobile malware family that is still being kept secret, with over 100,000 distinct samples in existence. He expresses astonishment at this, as such a high number of samples in a single malware family has never been seen before. This indicates a growing trend in the cybersecurity landscape.
The number of samples of banking trojans is increasing rapidly.
There is a noticeable gap in security measures between mobile devices and desktops. Currently, only one out of four users have some form of protection on their mobile devices, leaving 25% completely vulnerable. This is in stark contrast to desktops, where 85% of users have some form of security in place.
Threats to mobile devices are rapidly increasing in complexity. They are evolving by creating numerous variations that make it difficult for antivirus programs to detect and correlate infections based on their unique signatures.
When Godfather was first found in 2022, there were less than 10 instances of it in the wild, as stated by Chiaraviglio. However, by the end of the previous year, the number of Godfather samples had increased by 100 times.
The creators of the software have been generating custom samples automatically to assist customers in evading detection. Chiaraviglio suggests that this could be achieved through scripting or using advanced language models to streamline the development process.
Similar tactics have been adopted by other developers of banking Trojans, although on a smaller level. Zimperium identified 498 instances of Nexus, a close rival to Godfather, in December, as well as 300 instances of Saderat and 123 instances of PixPirate.
Is it possible for security software to effectively detect and track numerous samples of malware within the same family, given that traditional signature-based solutions may struggle to keep up with the volume of threats?
Chiaraviglio believes that there may be a significant amount of shared code among various malware samples, which adaptive solutions can leverage to link related malware with distinct signatures. Rather than analyzing the code directly, defenders can utilize artificial intelligence (AI) to examine the behaviors exhibited by the malware. According to Chiaraviglio, with a suitable model in place, it becomes possible to detect the malware regardless of how much the code is altered or the appearance of the application is changed.
However, he acknowledges that cybersecurity is a constant competition. As defenders make adjustments, attackers adapt and find new ways to circumvent defenses. An example of this is attackers using large language models to change their code to evade detection. This type of malware, known as polymorphic malware, is not common on mobile devices currently, but there is a possibility of it becoming more prevalent in the future.