Home Lifestyle Godfather Malware Targets Banks and Crypto Exchanges

Godfather Malware Targets Banks and Crypto Exchanges

Godfather Malware Targets Banks

A new banking malware for Android has been going after bank websites and cryptocurrency exchanges. in this post we discussed about Godfather Malware Targets Banks.

What’s their technique? Well, malware will make fake login screens on top of banking or cryptocurrency exchange apps, where people who don’t know what’s going on will try to log in, giving the hackers their login information.

Godfather Trilogy American Crime Films

The malware seems to be a reference to the classic mafia movie Godfather Trilogy. It is trying to steal accounts from over 400 online banking sites and cryptocurrency exchanges from users in 16 countries.


When the trojan is on a device, it can look like Google Protect. It goes even further by simulating a scanning motion. This scan tries to get the user to give access to Accessibility Service requests because it seems to be authentic. Once the user agrees to the request, it can grant itself all the permissions it needs to do the wrong things, such as accessing text messages for one-time passwords, recording the screen, and more.

Analysts from Group-IB found the trojan. They thought Godfather was a new version of Annubis, a famous banking trojan in the past.

ThreatFabric first found the Godfather in March 2021, but the code has been update and improved.

Read_SMSAccess SMSs from the victim’s device.
RECEIVE_SMSIntercept SMSs received on the victim’s device
READ_CONTACTSAccess phone contacts
READ_PHONE_STATEAllows access to phone state, including the current cellular network information, the phone number and the serial number of the phone, the status of any ongoing calls, and a list of any Phone Accounts registered on the device.
RECORD_AUDIOAllows the app to record audio with the microphone, which attackers can potentially misuse.
SEND_SMSAllows an application to send SMS messages.
CALL_PHONEAllows an application to initiate a phone call without going through the dialer user interface for the user to confirm the call.
WRITE_EXTERNAL_STORAGEAllows the app to write or delete files in the device’s external storage
WRITE_SMSAllows the app to modify or delete SMSs
DISABLE_KEYGUARDAllows the app to disable the keylock and any associated password security
BIND_ACCESSIBILITY_SERVICEUsed for Accessibility Service

A new report from Cyble also pointed out that the Godfather has been doing more things lately. It tries to get people to download an app that pretends to be a popular music tool in Turkey and has already been download 10 million times from the Google Play Store.

People say that the Godfather tries to hack banking apps from the following:

  • US
  • Spain
  • Turkey
  • Canada
  • France
  • Germany
  • the UK.

Godfather was made so that it could figure out the system language of the device. It is fascinating that it stops working whenever the language is set to Russian, Azerbaijani, Armenian, Belarusian, Kazakh, Kyrgyz, Moldovan, Uzbek, or Tajik.  

This could mean that Russian-speaking hackers are behind it.

Ensure you only download apps from the Google Play Store, use the correct version of Google Protect, and use an anti-virus tool to stay safe from this threat.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.