Approximately 1,000 samples of the Godfather mobile banking Trojan are circulating in dozens of countries around the world, targeting hundreds of banking apps.
First discovered in 2022, Godfather, which can record screens and keystrokes, intercept two-factor authentication (2FA) calls and messages, initiate bank transfers, and more, has quickly become one of malware-as-a-flight offerings a-service most prevalent in cybercrime, especially mobile cybercrime. According to Zimperium 2023 “Mobile Bank Theft Report” as of late last year, The Godfather was targeting 237 banking apps spread across 57 countries. Its affiliates exfiltrated stolen financial information in at least nine countries, mostly in Europe and including the United States.
All that success got attentionso, to prevent security software from ruining the party, Godfather’s developers automatically generated new samples for their customers on an almost industrial scale.
Other mobile malware developers across the spectrum have started doing the same thing. “What we’re seeing is that malware campaigns are starting to get bigger and bigger,” warns Nico Chiaraviglio, chief scientist at Zimperium, who will lead a session on this and other mobile malware trends at the RSAC in May.
In addition to Godfather and other known families, Chiaraviglio is tracking an even larger, still hidden mobile malware family, with over 100,000 unique samples in circulation. “So it’s crazy,” he says. “We have never seen such a large number of samples in a single piece of malware. This is definitely a trend.”
Banking Trojans generate hundreds of samples
Mobile security is already far behind desktop security. “Back in the 90s, no one really used antivirus on desktop computers, and we’re about there. Today, only one in four users actually use some sort of mobile protection. 25% of devices are completely unprotected, compared to desktop, at 85%,” laments Chiaraviglio.
Mobile threats, meanwhile, are increasing rapidly. One way they do this is by generating so many different iterations that antivirus programs, which profile malware based on their unique signatures, have trouble correlating one infection with the next.
Consider that at the time of its first discovery in 2022, according to Chiaraviglio, fewer than 10 Godfather specimens were present in nature. By the end of last year the number had increased a hundredfold.
Its developers have clearly automatically generated unique samples for customers to help them avoid detection. “They could just write everything in a script – that would be one way to automate it. Another way would be to do it use large language modelsas code assistance can really speed up the development process,” says Chiaraviglio.
Other banking Trojan developers have followed the same approach, albeit on a smaller scale. In December, Zimperium collected 498 samples of the Godfather’s close competitor, Link300 samples of Saderat and 123 of PixPirate.
Can security software keep up?
Security solutions that mark malware by signature will have difficulty tracking hundreds and thousands of samples per family.
“Maybe there’s a lot of code reuse between different samples,” Chiaraviglio says, something that suggests that adaptive solutions can be used to correlate related malware with different signatures. Alternatively, instead of the code itself, defenders can use artificial intelligence (AI) to zero in on the malware’s behaviors. With a model that can do this, Chiaraviglio says, “no matter how much the code or the look of the application changes, we will still be able to detect it.”
But, he admits, “at the same time, this is still a competition. Let’s do something [to adjust]the attacker does something to evolve according to our predictions. [For example]they can ask [a large language model] to mutate their code as much as possible. This would be the realm of polymorphic malware, which isn’t something that happens a lot on mobile, but we may start to see more of it.”