GodFather Android malware targets over 400 crypto-exchanges and banks

A malicious Android banking malware called “Godfather” has been targeting 16 countries to attempt to steal user credentials from over 400 cryptocurrency and online banking websites.

When victims try to log into the site using their banking or crypto exchange app login credentials, the malware creates login screens that overlay on top of them. This tricked the victim into entering their credentials via well-crafted HTML Phishing pages.

Group-IB analysts discovered the Godfather trojan. They believe that it’s Anubis’ successor, which was a popular banking trojan, but has been slowly withdrawn from use because of its inability bypass Android security updates.

ThreatFabric discovered Godfather . However, it has been subject to numerous code updates and improvements over the years.

an article highlighting the rise in activity of Godfather pushing his app, which mimics a Turkish music tool, and was downloaded 10,000,000 times via Google Play.

Banks worldwide targeted

The malware was found in a few apps from the Google Play Store by Group-IB. However, it is not known how the primary distribution channel works.

Nearly half of the apps that Godfather targets, 215, is banking apps. Most of these apps are located in the United States (49), Turkey (31) and Spain (30), Canada (22) and France (20), respectively.

Godfather also targets banking apps and 110 cryptocurrency exchange platforms.

Godfather targeting overview


The trojan checks the language of the system and stops it from operating if it is set to Russian or Azerbaijani.

This strongly suggests that Godfather’s authors are Russian-speaking, and may have been residing in the CIS region (Commonwealth of Independent States).

The Godfather

Godfather installs on your device and imitates Google Protect. This is a security feature that all Android phones have. Even further, the malware mimics a device-scanning action.

This scan is designed to allow access to the Accessibility Service using what seems to be legitimate tools. The malware will issue all the permissions necessary to execute malicious behavior once the victim has approved the request.

You have access to SMS text and notification, screen recording, contacts and phone numbers.

The Accessibility Service can also be misused to stop the user from removing trojans, exfiltrating Google Authenticator One-Time Passwords (one time passwords), processing commands and stealing password and PIN fields.

Godfather spies on a list installed apps in order to get matching injections from the C2 Server (fake HTML login forms for credentials).

The web fauxs imitate the login pages of legitimate applications and all data entered on the fake HTML pages such as usernames or passwords is stolen to C&C servers.” – .

It can generate false notifications using apps on victim’s devices to redirect victim to a Phishing page.

Examples of fake overlays targeting Turkish users


Godfather’s screen recording capabilities can be used to record credentials from apps that are not listed on the app store.

The malware accepts commands from C2, and executes them with administrator privileges.

  • StartUSSD – Make a USSD Request
  • SentSMS – You can send SMS messages from infected devices (no processing in malware later versions).
  • StartApp – Create an app that is defined by C2
  • Cahcecleaner: Clear cache from any app that has been determined by C2
  • BookSMS: Send SMS to All Contacts Most likely used to propagate. The latest version is not yet in use.
  • startforward/stopforward – Enable/disable call forwarding to a number specified by the C2
  • openbrowser: Open any web page
  • startsocks5/stopsocks5 – Enable/disable a SOCKS5 proxy
  • Killbot – Self-delete
  • StartPush – Show push notifications which, when clicked on, open a page that is fake (phishing).

Other than the previous, trojan module modules enable it to do actions like keylogging, setting up a VNC server and recording the screen.

Anubis Connection

The source code for Anubis was released in 2019. Godfather could be either another project by the same authors, or new malware developed by a threat group.

These similarities include the way that C2 addresses are received, processed and implemented of C2 commands.

Godfather has omitted Anubis’ audio and file encryption modules and GPS tracking module. However, he has also added a VNC Module, implemented a new protocol and traffic encryption algorithm and created a system that can steal Google Authenticator codes.

Godfather, a dangerous and feature-rich trojan, is built from code proven to be from Anubis, and targets a large number of Android users around the world.

You can protect yourself from this danger by only downloading apps from Google Play. Also, make sure to keep your device updated with an antivirus tool. Make Play Protect active and minimize the amount of apps installed.