Skip to content

Godfather Android malware targets 419 companies in 16 countries

  • by
  • 5 min read

Photo by Rafapress /

Android malware named Godfather, built on top of the already notorious Anubis malware, has been targeting users in 16 countries stealing credentials for as many as 419 banking sites, crypto wallets and exchanges and other financial services. 

Outside of targeting financial services, Cyble reports that the malware is also targeting a popular music app MYT Muzik in Turkey to steal device information such as SMS, installed apps’ data and other basic information. The malware can also control the device screen remotely, forward calls from the victim’s number and inject banking URLs. 

Researchers over at Threatfabric first discovered the malware in March 2021, but it has gone through massive updates to keep up with monthly Android security updates. Something that caused its predecessor, Anubis, to go obsolete. 

According to Group-IB’s latest report, only a small percentage of initial infections came from the Google Play Store. The researchers still aren’t sure of the main distribution channels; hence, the initial infection method remains unknown. 

What they do know, however, is that the malware targets as many as 215 banking apps, with most of them being concentrated in the following countries:

  • United States: 49
  • Turkey: 31
  • Spain: 30
  • Canada: 22
  • France: 20
  • Germany: 19
  • United Kingdom: 17

Apart from banking apps, the malware targets 110 cryptocurrency exchanges and 94 cryptocurrency wallet apps. 

Godfather Android malware targets 419 companies in 16 countries
The regions and categories that Godfather has spread to since 2021. | Source: Group-IB

Before starting any malicious activity, the malware checks the device’s language. No malicious activity occurs if the target device is operating in Russian, Azerbaijani, Armenian, Belarusian, Kazakh, Kyrgyz, Moldovan, Uzbek, or Tajik.

This is a strong indication that the malware authors could likely be Russian. Additionally, the malware also checks the device context to check whether or not it was launched in an emulator, in which case the malicious activity is also stopped. 

In the News: Malicious PyPI package caught posing as SentinelOne SDK

One malware to breach them all

Upon installation, any app running with Godfather will imitate Google Play Protect and try to ‘scan’ the device for malicious activity. This scan is actually a cover for the app to ask for accessibility service permissions from the user. Once these permissions are gained, the app can issue the rest of the access to itself. 

Additionally, these accessibility permissions are further abused to prevent the app from being installed. Once fully functional, Godfather has access to the victim’s SMS, notifications, call logs, screen recording, contacts, external storage, device status and even Google Authenticator OTPs. 

Lastly, the ‘scan’ extracts a list of installed apps on the target device and sends it back to the Command and Control (C2) server to fetch a list of fake HTML login forms for these apps. They are then overlayed over the existing app to steal the user’s credentials. 

Godfather malware’s network infrastructure. | Source: Group-IB

For any apps that the C2 doesn’t have a fake login page, it simply records the user’s screen to capture credentials. Additionally, it can also generate fake notifications from installed apps on the victim’s phone to encourage them to open the app and log in without having to wait for the user to open the app. 

Lastly, the C2 server can also issue commands to the malware, which can be executed with administrator privileges on the infected device. These include:

  • Execute USSD requests 
  • Send an SMS from the infected device
  • Send an SMS to all contacts on the infected device (not implemented in the latest version)
  • Launch an app specified by the C2
  • Show push notifications that lead to fake login pages
  • Clear the cache of any app specified by the C2
  • Enable or disable a SOCKS5 proxy
  • Enable or disable call forwarding to a number specified by the C2
  • Open an arbitrary webpage
  • Self-delete

History with Anubis

According to Group-IB’s researchers, the malware does seem to be built upon Anubis, another banking trojan whose source code got leaked in 2019. Over time, as Android systems became more resilient and detection mechanisms more sophisticated, Anubis became obsolete. 

Essentially, developers of Godfather started off with Anubis’ source code and modernised it for newer Android versions. While both trojans have the same codebase, the C2 communication protocol and capabilities, along with their implementation are modified in Godfather, classifying it as a fork of Anubis. 

In the News: India Premiership 2023 starts on Jan 5, 2023; registrations open

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here:

Exit mobile version