GodFather, a new Android banking trojan, is affecting over 400 banking and crypto apps and is active in 16 countries.

The malware targets mainly banking apps (215), but also crypto exchange platforms (110) and crypto wallet providers (94). Victims are spread over U.S., Turkey, Spain, Italy, and Canada, and others countries.

Details About the GodFather

GodFather was first detected in June 2021 by Group-IB and openly disclosed in March 2022 by ThreatFabric. And it is believed to be spread through the malware-as-a-service (MaaS) model.

The malware operating in the Android ecosystem aims to snatch credentials by creating a web fake, or an overlap screen that is displayed on top of targeted apps. It also has a backdoor feature that can abuse Android’s Accessibility APIs in order to record footage, track keystrokes, grab screenshots, and gather SMS and phone logs.

GodFather, a New Android Banking Trojan


Malware analysis has revealed that GodFather is a successor of the Anubis banking trojan. The resemblance between these two malware families includes: the method of obtaining the command-and-control (C2) IP, the execution of C2 instructions, and the web fake, proxy, and screen capture modules. But audio recording and location tracking have been disabled.

Interestingly, Godfather spares users in post-Soviet countries. If the potential victim’s system preferences include one of the languages in that region, the Trojan shuts down. This could suggest that Godfather’s developers are Russian speakers.


Modus Operandi

It is standing out that GodFather recovers its C2 server address by decrypting Blowfish cipher encoded Telegram channels descriptions. And one potential distribution vector is trojanized app dropper.

This is based on a C2 address that’s linked to an app named Currency Converter Plus ( that was hosted on the Google Play Store as of June 2022. The application in question is no longer available for download.


Examined samples of GodFather were impersonating the legitimate Google Play Protect service and the Turkish MYT Müzik app.

GodFather is not the only Android malware based on Anubis banking trojan. In July 2022, Falcon, a modified version of Anubis, targeted Russian users by mimiking the state-owned VTB Bank.

If you liked this article, follow us on LinkedInTwitterFacebookYouTube, and Instagram for more cybersecurity news and topics.

Top 10 Most Dangerous Banking Malware That Can Empty Your Bank Account

70 Financial Institutions in Europe and South America Targeted by Banking Trojan Bizarro

What is a Remote Access Trojan (RAT)?

Leave a Reply

Your email address will not be published. Required fields are marked *