From 50ca40e408e9ae7d90e4c890f3cc27b6506a2df3 Mon Sep 17 00:00:00 2001
From: Delta-Sierra <deborah.servili@gmail.com>
Date: Wed, 25 Jan 2023 09:05:19 +0100
Subject: [PATCH] add Anubis & Godfather android banking trojans

---
 clusters/android.json | 30 +++++++++++++++++++++++++++++-
 1 file changed, 29 insertions(+), 1 deletion(-)

diff --git a/clusters/android.json b/clusters/android.json
index 232d31e..2bd0687 100644
--- a/clusters/android.json
+++ b/clusters/android.json
@@ -4664,7 +4664,35 @@
       },
       "uuid": "66026639-132f-436e-8348-1219714e9f62",
       "value": "Vulture"
+    },
+    {
+      "description": "Starting in June 2018, a number of new malware downloader samples that infect users with BankBot Anubis (aka Go_P00t) was discovered. The campaign features at least 10 malicious downloaders disguised as various applications, all of which fetch mobile banking Trojans that run on Android-based devices. Anubis Masquerades as Google Protect.",
+      "meta": {
+        "refs": [
+          "https://securityintelligence.com/anubis-strikes-again-mobile-malware-continues-to-plague-users-in-official-app-stores/"
+        ]
+      },
+      "uuid": "d21ab582-2286-4827-9710-0eb283244ff1",
+      "value": "Anubis"
+    },
+    {
+      "description": "The Android banking Trojan Godfather is currently being utilized by cybercriminals to attack users of popular financial services across the globe. Godfather is designed to allow threat actors to harvest login credentials for banking applications and other financial services, and drain the accounts. To date, its victims include users of over 400 international targets, including banking applications, cryptocurrency wallets, and crypto exchanges.\nFew people realize that hiding under Godfather’s hood is an old banking Trojan called Anubis, whose functionality has become outdated due to Android updates and the efforts of malware detection and prevention providers.\nGroup-IB first detected Godfather, a mobile banking Trojan that steals the banking and cryptocurrency exchange credentials of users, in June 2021. Almost a year later, in March 2022, researchers at Threat Fabric were the first to mention the banking Trojan publicly. A few months later, in June, the Trojan stopped being circulated. One of the reasons, Group-IB analysts believe, why Godfather was taken out of use was for developers to update the Trojan further. Sure enough, Godfather reappeared in September 2022, now with slightly modified WebSocket functionality.",
+      "meta": {
+        "refs": [
+          "https://blog.group-ib.com/godfather-trojan"
+        ]
+      },
+      "uuid": "dddfa582-3df3-4832-bffe-c38e70b710ac",
+      "value": "GodFather",
+      "related": [
+        {
+          "dest-uuid": "d21ab582-2286-4827-9710-0eb283244ff1",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "successor-of"
+        }
     }
   ],
-  "version": 21
+  "version": 22
 }