Android Malware Mimics MYT Müzik App to Target Turkish Users
GodFather is a notorious Android banking trojan known for targeting banking users, mostly in European countries. Cyble Research & Intelligence Labs (CRIL) blogged about this GodFather android malware in March 2022 and explained how it targeted android banking users worldwide. Recently, CRIL identified several GodFather Android samples masquerading as MYT application. This application has the name MYT Müzik which is written in the Turkish language. Thus, we suspect this application targets Android users in Turkey.
The GodFather samples analyzed are encrypted using custom encryption techniques to evade detection by the anti-virus products. Upon installing this application on our testing device, we observed that it uses an icon and name similar to a legitimate application named MYT Music which is hosted on the Google Play Store with more than 10 million downloads. The image below shows the malicious application’s icon and name on the Android device’s screen.
The GodFather Android malware, after successful installation on the victim’s device, steals sensitive data such as SMSs, basic device details, including installed apps data, and the device’s phone number. Apart from these, it can also control the device screen using VNC, forwarding incoming calls of the victim’s device and injecting banking URLs.
Technical Analysis
APK Metadata Information
- App Name: MYT Müzik
- Package Name: com.expressvpn.vpn
- SHA256 Hash: 138551cd967622832f8a816ea1697a5d08ee66c379d32d8a6bd7fca9fdeaecc4
Figure 2 shows the metadata information of an application.
Manifest Description
The malware requests 23 different permissions from the user, out of which it abuses at least 6. These dangerous permissions are listed below:
| Permissions | Description |
| READ_CONTACTS | Access phone contacts |
| READ_PHONE_STATE | Allows access to phone state, including the current cellular network information, the phone number and the serial number of the phone, the status of any ongoing calls, and a list of any Phone Accounts registered on the device. |
| CALL_PHONE | Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. |
| WRITE_EXTERNAL_STORAGE | Allows the app to write or delete files in the device’s external storage |
| DISABLE_KEYGUARD | Allows the app to disable the keylock and any associated password security |
| BIND_ACCESSIBILITY_SERVICE | Used for Accessibility Service |
Source Code Review
The malicious application uses the code below to hide/unhide its icon from the device screen.
The below image shows the code snippet used by the malware for collecting Victim’s device details, such as device model info, installed apps list, etc., and uploading them to the TAs’ server.
The malware can do money transfers by making USSD (Unstructured Supplementary Service Data) calls without using the dialer user interface, as shown in the figure below.
The malware creates an overlay window in the OnAccessibilityEvent method and injects HTML phishing pages when it receives sunset_cmd from the TAs C&Cserver, as shown in the below image.
Upon receiving the command from the C&C server, the malware forwards Victim’s incoming calls to a number provided by the TAs’.
The image shown below contains the code through which the malware can steal application key logs.
The malware uses the below-shown code to view/control the victim device’s screen using a VNC viewer.
The malicious application gets the C&C server URL from a telegram channel: hxxps://t[.]me/varezotukomirza, through which it communicates with the TAs to get the commands and sends the stolen data from the device.
The malware terminates itself after receiving a “killbot” command from TAs C&C server. The below-shown code snippet depicts the same.
The malware uses the below commands to extract sensitive information from the user’s device.
| Command-List |
| startUSSD |
| sentSMS |
| startApp |
| startforward |
| killbot |
| send_all_permission |
| vnc_open |
| keylog_active |
| unlock_screen |
| sunset |
| startscreen |
Conclusion
GodFather Android Banking trojan was seen targeting European users at the beginning of the year 2022. Now, it comes back with advanced encryption techniques used to obfuscate its code. This shows the TA’s ability to continuously enhance their techniques to target people with avoiding detections from Anti-virus programs.
As per the research, such malware is distributed via sources other than Google Play Store. As a result, practicing basic cyber hygiene across mobile devices and online banking applications effectively prevents such malware from compromising your devices.
Our Recommendations
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
How to prevent malware infection?
- Download and install software only from official app stores like Google Play Store or the iOS App Store.
- Use a reputed anti-virus and internet security software package on your connected devices, such as PCs, laptops, and mobile devices.
- Use strong passwords and enforce multi-factor authentication wherever possible.
- Enable biometric security features such as fingerprint or facial recognition for unlocking the mobile device where possible.
- Be wary of opening any links received via SMS or emails delivered to your phone.
- Ensure that Google Play Protect is enabled on Android devices.
- Be careful while enabling any permissions.
- Keep your devices, operating systems, and applications updated.
How to identify whether you are infected?
- Regularly check the Mobile/Wi-Fi data usage of applications installed on mobile devices.
- Keep an eye on anti-viruses and Android OS alerts and take necessary actions accordingly.
What to do when you are infected?t
- Disable Wi-Fi/Mobile data and remove SIM cards – as in some cases, the malware can re-enable the Mobile Data.
- Perform a factory reset.
- Remove the application in case a factory reset is not possible.
- Take a backup of personal media Files (excluding mobile applications) and perform a device reset.
What to do in case of any fraudulent transaction?
- In case of a fraudulent transaction, immediately report it to the concerned bank.
What should banks do to protect their customers?
- Banks and other financial entities should educate customers on safeguarding themselves from malware attacks via telephone, SMS, or emails.
MITRE ATT&CK® Techniques
| Tactic | Technique ID | Technique Name |
| Initial Access | T1476 | Deliver Malicious App via Other Means. |
| Initial Access | T1444 | Masquerade as a Legitimate Application |
| Execution | T1575 | Native Code |
| Collection | T1513 | Screen Capture |
| Command and Control | T1436 T1616 | Commonly Used Port Call Control |
Indicators of Compromise (IOCs)
| Indicators | Indicator Type | Description |
| 40a099d574cd588903d9cf8701da8d006e58be406049d26a61cc291720270b60 da021a501372f8de9a1d2c11802ec452f218a1c3fd39356151acae076c3304ff 76cd894001f01f56299079b7eace162947b51b8b3a587c26709613e42279b850 e6fb245a7dd02af549e2d62f42413dcacda0fb847ee84d52b0f69c8219f3e81d e67b8b78550396f542ded77d2118487ac1afb0d4ac6b70774889bbb4e6d88265 b58b9a2ba58813ad4fbf2f6349a522f9a49bf8b3190237eb9c43c1d085f4497e 3f7eae6cc61fdc2553a2acdede69be84945a7a724b632dea3ff8466f74b56249 8d07967b9253951b52c631383a3dde8513572b3c996c338819f4e12a7a60bf23 7d9d89371f0409660136ad7a238e345b140b9359fae186814ec9572996f373a6 536e9a5b341eb6e0708e58f65679232513b2896674b8b2615ff93c58fe1dbcf9 50df8248535002052622f00b691bd60ad735e16e685a9d7b95a0850dc4229ad3 363eb5d89b43946a4af03e2399e47125bec822729d764b08004eb492212d51db 138551cd967622832f8a816ea1697a5d08ee66c379d32d8a6bd7fca9fdeaecc4 0932a99030a80786f8215e5cb5c879708848bd62141ff4672e23823ddc562ac7 06b0bebc1422a969ef10a0f13fb253b0697d079d7126551370b9757da6564c9d d981bccfde804bb662e4acb1e7a97298b4a081c02b498a01abfeec74a60b8fdc 61e67d1ce1577d5a08d0ae970ac20fa5f0b8db3660b6c6c83189130be3039675 93a8d9d57a816b1c0401660256db8e37d29a92a43cd7d9668f9d05db820aa572 896301f184ff67a0fa9570e4275eafe66ab907636e381b86b87d28532aea0c82 55183db5a190f08ce9e1589b2b7186ce64523c85c2c8b2ea03c52315b529b451 32c7ef93f3329709bf38b7d6ea5f076fb8bd86d36785ed811d99efcb98f8ae58 | SHA256 | Malicious APK |
| hxxps://t[.]me/varezotukomirza | URL | Telegram Channel Hosting Encrypted C&C Server |
