Related Families: Anubis
Verticals Targeted: Financial
Executive Summary
Cyble recently reported on Godfather, an Android banking trojan. It was recently used in a campaign targeting Turkish-speaking users.
Key Takeaways
- Godfather, based on Anubis code, is an Android banking trojan active in the wild since at least 2021.
- Godfather was recently used, masquerading as the MYT Muzik app, in a campaign targeting Turkish-speaking users.
- Over 400 financial apps have been targeted by Godfather, including cryptocurrency wallets, crypto exchanges, and banking applications.
What is Godfather?
Godfather is an Android banking trojan that has targeted over 400 financial applications, including cryptocurrency wallets, banking applications, and crypto exchanges. It is operated as malware as a service model. Threat actors have primarily used Godfather to target banking users in Europe, the US, and Turkey. It was observed in the wild as early as 2021. Cyble recently reported on a new campaign leveraging Godfather and masquerading as the MYT Muzik application, which is targeted toward Turkish-speaking users. The app was available on the Google Play Store.
Godfather uses a custom encryption scheme to evade detection. Once installed, Godfather steals various types of data, including SMS, device details, installed apps, and the victim’s phone number. Godfather allows remote control of the device using VNC. Threat actors can also use Godfather to forward incoming calls and inject banking URLs. Godfather uses convincing overlays to mimic over 400 applications, allowing threat actors to steal login credentials for financial services, crypto wallets, and other applications.
Researchers at Group-IB noted Godfather is a successor to Anubis, a formerly prolific Android banking trojan that became less popular after Android updates and malware detection made it less effective.
IOCs
PolySwarm has multiple samples of Godfather.
138551cd967622832f8a816ea1697a5d08ee66c379d32d8a6bd7fca9fdeaecc4
0b72c22517fdefd4cf0466d8d4c634ca73b7667d378be688efe131af4ac3aed8
You can use the following CLI command to search for all Godfather samples in our portal:
$ polyswarm link list -f Godfather
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports