Related Families: Anubis
Verticals Targeted: Financial
Cyble recently reported on Godfather, an Android banking trojan. It was recently used in a campaign targeting Turkish-speaking users.
- Godfather, based on Anubis code, is an Android banking trojan active in the wild since at least 2021.
- Godfather was recently used, masquerading as the MYT Muzik app, in a campaign targeting Turkish-speaking users.
- Over 400 financial apps have been targeted by Godfather, including cryptocurrency wallets, crypto exchanges, and banking applications.
What is Godfather?
Godfather is an Android banking trojan that has targeted over 400 financial applications, including cryptocurrency wallets, banking applications, and crypto exchanges. It is operated as malware as a service model. Threat actors have primarily used Godfather to target banking users in Europe, the US, and Turkey. It was observed in the wild as early as 2021. Cyble recently reported on a new campaign leveraging Godfather and masquerading as the MYT Muzik application, which is targeted toward Turkish-speaking users. The app was available on the Google Play Store.
Godfather uses a custom encryption scheme to evade detection. Once installed, Godfather steals various types of data, including SMS, device details, installed apps, and the victim’s phone number. Godfather allows remote control of the device using VNC. Threat actors can also use Godfather to forward incoming calls and inject banking URLs. Godfather uses convincing overlays to mimic over 400 applications, allowing threat actors to steal login credentials for financial services, crypto wallets, and other applications.
Researchers at Group-IB noted Godfather is a successor to Anubis, a formerly prolific Android banking trojan that became less popular after Android updates and malware detection made it less effective.
PolySwarm has multiple samples of Godfather.
You can use the following CLI command to search for all Godfather samples in our portal:
$ polyswarm link list -f Godfather
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at firstname.lastname@example.org | Check out our blog | Subscribe to our reports