{
	"id": "239b3a62-07b5-42e2-8c69-645a9b13d617",
	"created_at": "2026-04-06T00:18:47.313134Z",
	"updated_at": "2026-04-10T03:20:06.793073Z",
	"deleted_at": null,
	"sha1_hash": "0596db7d3f65a4aa47722351ee262be8b4395fb5",
	"title": "Technical analysis of Godfather android malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 508491,
	"plain_text": "Technical analysis of Godfather android malware\r\nBy Muhammad Hasan Ali\r\nPublished: 2023-02-08 · Archived: 2026-04-05 14:12:13 UTC\r\nبسم الله الرحمن الرحيم\r\nFreePalestine\r\nIntroductionPermalink\r\nGodfather is a malware that targets Android devices. It was first discovered in 2020 and is known for its\r\nsophisticated and aggressive behavior. The malware is designed to steal sensitive information such as banking\r\ncredentials, passwords, and other personal data from infected devices.\r\nThe Godfather Android banking malware is a threat to users in 16 countries, as it has been designed to steal\r\naccount credentials from over 400 online banking sites and cryptocurrency exchanges. It accomplishes this by\r\ndisguising itself as a login screen, overlaying the login forums of banking and cryptocurrency exchange apps.\r\nAnti-emulatorPermalink\r\nAfter installing The malware on the device, it checks the device if it’s an emulator or not. If the malware is\r\ninstalled on the emulator, the malware will not run its malicious functions.\r\nFigure(1): The method that checks for emulator existence\r\nThe method retrun is boolean . When the malware checks for the emulator exitance, the return is 0 when there’s\r\nno emulator or the return is 1 when there’s an emulator\r\nCollect vectim’s device infoPermalink\r\nhttps://muha2xmad.github.io/malware-analysis/godfather/\r\nPage 1 of 12\n\nThe malware will collect information about the device that’s infected and send the collected information to the C2\r\nserver. The information which will be sent to the C2 server such as applist which will collect all the\r\napplications installed on the device, ag to get the user agent, sim to get the network operator name, phone to\r\nget the phone number of the device, model , and ver of the device.\r\nFigure(2): The method that collects info about the victim's device\r\nUSSDPermalink\r\nThis method can make the malware transfers meoney using money transfers by making USSD (Unstructured\r\nSupplementary Service Data) calls without even using the dialer user interface.\r\nFigure(3): The method that performs USSD\r\nWhen the malware communicate withe C2 server and the response from the C2 server contains startUSSD\r\ncommand, the malware will start this method to transfer money using USSD .\r\nhttps://muha2xmad.github.io/malware-analysis/godfather/\r\nPage 2 of 12\n\nFigure(4): The command that performs USSD\r\nCall forwardingPermalink\r\nThe malware has the ability to forward incomming calls. This is used to bypass the two factor authintication\r\n2FA .\r\nFigure(5): The method that performs call fowrwarding\r\nWhen the malware communicate withe C2 server and the response from the C2 server contains startforward\r\ncommand, the malware will start this method to start call forwarding.\r\nFigure(6): The command that performs call forwarding\r\nPush notificationsPermalink\r\nThe malware will push fake notifications as if the notification came from ligitmate application. When the user\r\nopens the fake notifications, this opens a fake Web page and the user may enter his/her inforamtions such as\r\nusername, email, or password.\r\nhttps://muha2xmad.github.io/malware-analysis/godfather/\r\nPage 3 of 12\n\nFigure(7): The method that performs pushing fake notifications\r\nWhen the malware communicate withe C2 server and the response from the C2 server contains startPush\r\ncommand, the malware will start this method to start pushing fake notifications.\r\nFigure(8): The command that performs pushing fake notifications\r\nSmishingPermalink\r\nThe malware will send message which contains malicous URLs to download malicous applications to victim’s\r\ncontacts. This message is received from the C2 server and then the malware will send it to all contacts.\r\nFigure(9): The method that query contacts\r\nWhen the malware communicate withe C2 server and the response from the C2 server contains BookSMS\r\ncommand, the malware will start this method to start sending SMSs to the victim’s contacts.\r\nFigure(10): The command that performs Smishing\r\nhttps://muha2xmad.github.io/malware-analysis/godfather/\r\nPage 4 of 12\n\nSteal SMSsPermalink\r\nThe malware will collect the SMSs on the victim’s device and send the data to the C2 server. This is used to\r\nbypass the two factor authintication 2FA .\r\nFigure(11): The method that performs collecting SMSs\r\nWhen the malware communicate withe C2 server and the response from the C2 server contains sentSMS\r\ncommand, the malware will start this method to start sending the SMSs to the C2 server.\r\nFigure(12): The command that performs stealing SMSs\r\nRecord the screenPermalink\r\nThe malware will record a video of the screen of the victim’s device then sends the video to the C2 server. This\r\ntechnique is used to steal sensitive data as the same as overlay attack. When the user opens a targeted app, the\r\nmalware send to the C2 server that the user opened a targeted app. The C2 server sends a command to start\r\nrecording the screen.\r\nhttps://muha2xmad.github.io/malware-analysis/godfather/\r\nPage 5 of 12\n\nFigure(13): The method that performs recording a video\r\nVNCPermalink\r\nVNC , which stands for Virtual Network Computing, is a protocol for remote control of computers. VNC can be\r\nused by the malware to gain remote control over an infected device, allowing the attacker to perform various\r\nmalicious activities.\r\nFor example, a VNC-based Android malware might allow an attacker to remotely access the device’s screen,\r\ncamera, microphone, and other resources, allowing them to steal sensitive information, carry out phishing attacks,\r\nor monitor the user’s activities. The malware may also use the VNC connection to install additional malicious\r\nsoftware on the device, making it part of a larger network of compromised devices (known as a botnet).\r\nFigure(14): The command that performs starting VNC\r\nsettings_port: The value of the port is 5900 .\r\nhttps://muha2xmad.github.io/malware-analysis/godfather/\r\nPage 6 of 12\n\nsettings_password: the value of the password is 123 .\r\nuser: the value of the user is bluetooth_name .\r\nvnc_host: the value of the host is 5500 .\r\nThe settings_port , settings_password values are saved in the Shared Preferences.\r\nOverlay attackPermalink\r\nWhen the user opens a targeted app, the malware displays a fake or malicious overlay on top of the active window\r\nof the targeted app. The opened malicious window is the same as the legitimate app. This allows the attacker to\r\nsteal sensitive information, such as login credentials, credit card numbers, or other sensitive data, by tricking the\r\nuser into entering it into the overlay.\r\nFigure(15): The method that performs overlay attack\r\nStart/Kill the malwarePermalink\r\nThe C2 server sends to the malware to start or terminate itself.\r\nFigure(16): The command that starts the malware\r\nhttps://muha2xmad.github.io/malware-analysis/godfather/\r\nPage 7 of 12\n\nFigure(17): The command that performs killing the bot\r\nCache cleanerPermalink\r\nThe malware will clean the cache of an app. The malware will send cachecleaner command from the C2 server\r\nand app name in the command.\r\nFigure(18): The command that clear the cache\r\nCommunicationsPermalink\r\nThe malware will get the C2 server URL from description of a Telegram channel. The malware will send an\r\nHTTP reguest To https://t.me/varezotukomirza to get the encrypted C2 server\r\nzH7cPW3ZEHj5SDEKxFtXcoMXMJmMGlMGCH978whkdfQ . The C2 server is encrypted using Blowfish algorithm with\r\nECB_MODE and ABC as a key and encoded using Base64 .\r\nhttps://muha2xmad.github.io/malware-analysis/godfather/\r\nPage 8 of 12\n\nFigure(19): The encrypted C2 server\r\nWhen we decrypt The C2 server:\r\nDecoded the Base64 , then\r\nDecrypt the blowfish with ECB_MODE using ABC as a key\r\nThanks to Witold Precikowski for helping to decrypt the C2 server. We use this script to decrypt the encrypted C2\r\nserver obtained form the Telegram channel.\r\nfrom Crypto.Cipher import Blowfish\r\nimport base64\r\nbs = Blowfish.block_size\r\nkey = b'ABC'\r\ndata = 'zH7cPW3ZEHj5SDEKxFtXcoMXMJmMGlMGCH978whkdfQ='\r\n# Base64 decode\r\nhttps://muha2xmad.github.io/malware-analysis/godfather/\r\nPage 9 of 12\n\nciphertext = base64.b64decode(data)\r\n# Decrypt Blowfish in ECB mode\r\ncipher = Blowfish.new(key, Blowfish.MODE_ECB)\r\nmsg = cipher.decrypt(ciphertext)\r\nlast_byte = msg[-1]\r\nmsg = msg[:- (last_byte if type(last_byte) is int else ord(last_byte))]\r\nprint(msg)\r\nThe decrypted C2 server will be https://kalopterbomrassa.shop/ .\r\nAfter the malware gets the C2 server the communication between the C2 server and the malware will be decrypted\r\nusing AES/CBC/NoPadding with fedcba9876543210 as IV and 0123456789abcdef as a key.\r\nFigure(20): Algorithm to decrypt communication between the C2 server and the malware\r\nSpecial thanks to Witold Precikowski, Lasha kh., and Re-ind for their continuous help and support.\r\nIoCsPermalink\r\nApp name: MYT Müzik\r\nPackage name: com.expressvpn.vpn\r\nSha256: 138551cd967622832f8a816ea1697a5d08ee66c379d32d8a6bd7fca9fdeaecc4\r\nTelegram channel: https://t.me/varezotukomirza\r\nC2 server: https://kalopterbomrassa.shop/\r\nYara rulePermalink\r\nrule Godgather {\r\n meta:\r\n author = \"@muha2xmad\"\r\n date = \"2023-02-09\"\r\n description = \"Godfather android malware\"\r\n version = \"1.0\"\r\nhttps://muha2xmad.github.io/malware-analysis/godfather/\r\nPage 10 of 12\n\nstrings:\r\n $str00 = \"main_wang\" nocase\r\n $str01 = \"#21#\" nocase\r\n $str02 = \"config\" nocase\r\n $str03 = \"godfather\" nocase\r\n $str04 = \"fafa.php\" nocase\r\n $str05 = \"POPTR\" nocase\r\n $str06 = \"patara.php\" nocase\r\n condition:\r\n uint32be(0) == 0x504B0304 // APK file signature\r\n and ( all of ($str*))\r\n \r\n}\r\nArticle quotePermalink\r\nَرِبك كيف يستسيُغ ماء زمزم\r\nمن نبَت لح ُمه من ماء ال\r\nREFPermalink\r\nGodfather: A banking Trojan that is impossible to refuse\r\nhttps://muha2xmad.github.io/malware-analysis/godfather/\r\nPage 11 of 12\n\nSource: https://muha2xmad.github.io/malware-analysis/godfather/\r\nhttps://muha2xmad.github.io/malware-analysis/godfather/\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://muha2xmad.github.io/malware-analysis/godfather/"
	],
	"report_names": [
		"godfather"
	],
	"threat_actors": [],
	"ts_created_at": 1775434727,
	"ts_updated_at": 1775791206,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0596db7d3f65a4aa47722351ee262be8b4395fb5.pdf",
		"text": "https://archive.orkl.eu/0596db7d3f65a4aa47722351ee262be8b4395fb5.txt",
		"img": "https://archive.orkl.eu/0596db7d3f65a4aa47722351ee262be8b4395fb5.jpg"
	}
}