Godfather

What is Godfather malware?

Godfather is a rebranded and evolved variant of the Anubis trojan, first identified in 2022. It primarily targets Android devices, exploiting their accessibility services and employing innovative techniques such as on-device virtualization to hijack legitimate apps. This malware is designed to steal sensitive information, including banking credentials, two-factor authentication codes, and cryptocurrency wallet data.

It mimics legitimate applications and uses advanced obfuscation techniques to avoid detection. Once installed, it overlays fake login screens on top of banking and cryptocurrency apps to harvest user credentials. Godfather is actively maintained and frequently updated, making it a persistent and evolving threat.

It employs a number of vectors of system infiltration and spread:

• Disguised as legitimate apps in third-party app stores or even Google Play (later removed)
• Delivered via smishing (malicious SMS)
• Embedded in phishing websites
• Spread through social engineering campaigns
• Sometimes distributed through cracked or modded APKs.

Godfather Victimology

Godfather primarily targets users in Europe, the U.S., and Canada, but its campaigns have also affected regions in Asia and the Middle East.

Both individual consumers and businesses, particularly those with mobile banking operations or cryptocurrency holdings, are at risk. Enterprises with employees using personal devices for corporate access (BYOD) are especially vulnerable due to the malware’s ability to compromise mobile endpoints.

What Godfather Can Do to User Device

Once installed, Godfather can severely compromise an Android device by:

• Stealing Data: Captures SMS, contacts, login credentials, and two-factor authentication codes.
• Screen Control: Uses Virtual Network Computing (VNC) to control the device screen remotely.
• Keylogging: Records keystrokes to steal PINs and passwords.
• Preventing Removal: Abuses accessibility services to block uninstallation attempts.
• Push Notification Manipulation: Sends fake notifications to trick users into revealing sensitive information.

How Godfather Threatens Businesses and Organizations

Similar to other Android malware like Salvador Stealer and Spynote, Godfather can be used to:

• Compromise corporate accounts and credentials
• Steal funds or initiate unauthorized transactions
• Gain access to internal systems through employees' mobile device
• Bypass enterprise 2FA protections
• Facilitate lateral movement within networks via compromised mobile credentials.

The consequences for businesses tend not to be limited by serious financial losses and reputational damage due to the exposure of sensitive customer or corporate data but escalate to operational disruption and regulatory fines.

How Does Godfather Function?

Godfather operates by impersonating legitimate applications, such as Google Protect, to gain user trust. It requests permissions to access device storage, SMS, contacts, and accessibility services. Once granted, it:

• Runs fake scans to mimic legitimate security tools.
• Uses on-device virtualization to create a sandbox, allowing it to hijack legitimate banking or crypto apps.
• Intercepts user inputs and exfiltrates data to command-and-control (C&C) servers.
• Executes commands like transferring funds or opening malicious URLs without user knowledge.

Godfather Attack Chain Live

Watch a sample of Godfather detonated in ANY.RUN’s Interactive Sandbox to analyze its execution chain and gather data for detecting the trojan and protecting your organization.

View sandbox analysis of Godfather

Godfather malware analysis in the Sandbox

In this sample, Godfather begins its execution with a dropper disguised as a legitimate-looking app, such as “Müzik İndir,” a fake music downloader. Once launched, it shows a prompt claiming a plug-in is needed. In the background, it silently installs a second-stage APK without user consent.

After installation, the malware redirects the victim to Accessibility settings. It asks the user to activate a new service named “Music Downloader.” If granted, this gives the malware full control to simulate taps, read screen content, and overlay fake elements on top of real apps.

In this specific sample, the malware does not use virtualization. However, other Godfather variants have been seen using frameworks like VirtualApp and Xposed. These allow them to sandbox and clone real banking apps, intercepting user input, screen data, and network activity in real time.

When virtualization is used, the malware launches genuine banking apps inside its controlled environment. The user sees the real interface, but everything is monitored and manipulated silently in the background. This enables seamless data theft and transaction fraud.

Godfather stores its configuration in shared preferences, including AES-encrypted and Base64-encoded C2 URLs. Campaigns typically target hundreds of apps, with many focused on Turkish financial institutions. Importantly, Godfather has been found distributed through the official Google Play Store. It often mimicked popular apps like MYT Music to bypass detection and reach a wider audience, as reported by Malwarebytes and other security vendors.

Like its predecessor, the Anubis banking trojan, Godfather is offered as malware-as-a-service, which helps explain the wide range of capabilities and variations seen across different campaigns.

Gathering Threat Intelligence on Godfather malware

Threat intelligence provides context, indicators of compromise (IOCs), and TTPs (tactics, techniques, and procedures) used by Godfather operators. It is critical in combating Godfather by:

• Identifying IOCs: Indicators of compromise, such as C&C server IPs or malicious app signatures, help detect infections early.
• Predicting Attack Trends: Real-time intelligence on Godfather’s evolving tactics, like virtualization, informs proactive defenses.
• Enhancing Detection: Feeding IOCs into SIEM or EDR systems improves alert accuracy and response times.

Use ANY.RUN’s Threat Intelligence Lookup to find more Godfather public analyses in the Interactive Sandbox, watch the malware’s behavior in the network and on device, collect IOCs and IOBs.

threatName:"godfather"

Godfather samples recently analyzed in the Sandbox

You can also explore other malware targeting financial services users by searching the malware type “banker” in TI Lookup.

threatName:"banker"

Banking trojan samples recently analyzed in the Sandbox

Regular research helps analysts follow the emerging threat patterns and build proactive protection of business assets.

Conclusion

Godfather is a highly adaptive and dangerous mobile malware that exploits users’ trust and weaknesses in mobile security. With the right mix of mobile protection tools, user education, and actionable threat intelligence, organizations and individuals can reduce their exposure and respond swiftly to potential infections.

Gather fresh actionable threat intelligence via ANY.RUN’s TI Lookup: start with 50 trial requests.