A research team has discovered a new type of Trojan virus that has affected more than 400 apps in the Android Play Store, including 95 bitcoin (BTC) and cryptocurrency wallets.
According to the cybersecurity firm Group-IB, it pointed out in its research that this Trojan has been operational since March 2022, when the first vulnerabilities were discovered. But to date, many users may still be infected.
The Trojan, nicknamed the Godfather, is primarily intended to attack banking applications. Its capabilities include generating messages that redirect to fraudulent websites where the user is asked to enter personal information that is captured by criminals’ servers.
Although it focuses on banking applications, Group-IB determined that 94 cryptocurrency wallets were affected by the Trojan in 2022, without specifying which ones.
The vulnerability was created because the virus has the ability to access services in applications. Although the Trojan is unable to crack the cryptography with which the private keys are stored by revealing the recovery seed, it can take a screenshot that is shared with hackers, the research team determined. .
Godfather is based on an older Trojan horse known as Anubis, which Group-IB said had been patched from newer versions of Android and therefore lost its effectiveness. However, updates to the Godfather’s code allowed it to survive.
Group-IB drew attention to two apps, both of which act as vehicles for the Trojan. One of them Currency Conversion Plus, a currency conversion application. The other is a version of Google Protect that emulates its antivirus functionality but ends up installing the Godfather on mobile devices. In the latter case, these applications are installed from third-party sources, such as pirate websites.
Similar viruses have hit cryptocurrency users in the past. Trojan is a category given to viruses that infect digital devices through other seemingly harmless applications. They are an analogy of the Trojan horse from Homer’s Odyssey.