{
	"id": "efb96752-c2d1-4ddf-80c5-4e82b53c509b",
	"created_at": "2026-04-06T00:17:29.254891Z",
	"updated_at": "2026-04-10T13:12:59.608104Z",
	"deleted_at": null,
	"sha1_hash": "4a474c899be62df0afbcf7c0ad4045a556c4ce6e",
	"title": "Godfather Android Banking Trojan Technical Analysis - Brandefense",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3519814,
	"plain_text": "Godfather Android Banking Trojan Technical Analysis -\r\nBrandefense\r\nPublished: 2023-08-17 · Archived: 2026-04-05 17:02:53 UTC\r\nAugust 17, 2023\r\n4:36 pm\r\nGodfather Android Banking Trojan Technical Analysis\r\nThis is the open version of Godfather Android Banking Trojan Technical Analysis. If you want to\r\ndownload it as a PDF click here.\r\nExecutive Summary\r\nGodfather stands out among malicious Android software as a significant threat. This malware targets financial and\r\npersonal information, endangering users’ security. Key characteristics of Godfather include:\r\nObjective and Threat: Godfather aims to seize users’ financial account information, identity data, and\r\npersonal details. It can jeopardize users’ security, leading to financial losses and identity theft.\r\nOperational Mechanism: Utilizing keylogging, Godfather monitors users’ keystrokes, steals entered data,\r\nand tracks user interactions.\r\nDistribution Methods: This malware often spreads through fake applications or malicious websites. It\r\nincreases infection risks by luring users into traps with deceptive content.\r\nData Transmission: Godfather can transmit captured data to a command and control server.\r\nBefore the Analysis\r\nGodfather Trojan Activity Targeting Financial Sector Detected\r\nThe Group-IB Threat Intelligence team detected that the Godfather Android banking trojan targeted more than 400\r\ninternational financial companies between June 2021 and October 2022. Half of the targeted financial companies\r\nare banks, and the other half are cryptocurrency wallets and exchanges. The Godfather’s targets include 49 US-based companies, 31 Turkish-based companies, and 30 Spanish-based companies. Financial service providers in\r\nCanada, France, Germany, England, Italy, and Poland are among the hardest-hit companies. [Read More]\r\nhttps://brandefense.io/blog/godfather-android-banking-trojan/\r\nPage 1 of 10\n\nFigure 1: Fake Web Pages Imitating Mobile Banking Applications Serving in Turkey\r\nSome activities that Godfather trojan software performs on infected systems;\r\nRecording the device’s screen\r\nCreating VNC connections\r\nCapturing keystrokes (keylogging)\r\nLeaking push notifications and SMS messages (to bypass 2FA)\r\nSend SMS messages\r\nhttps://brandefense.io/blog/godfather-android-banking-trojan/\r\nPage 2 of 10\n\nForward calls\r\nExecute USSD requests\r\nStart proxy servers\r\nEnabling silent mode\r\nEstablishing WebSocket connections\r\nIn the last 9 months, Godfather Trojan activities have been activated again, especially in Turkey. This time,\r\nattackers mainly have used music apps to infect the victims of the android trojan, Godfather.\r\nImage Source: twitter.com/0x6rss\r\nTechnical Analysis\r\nGodfather malware requires the following permissions.\r\nPermission List\r\nandroid.permission.ACCESS_NETWORK_STATE\r\nandroid.permission.ACCESS_WIFI_STATE\r\nhttps://brandefense.io/blog/godfather-android-banking-trojan/\r\nPage 3 of 10\n\nandroid.permission.BIND_ACCESSIBILITY_SERVICE\r\nandroid.permission.FOREGROUND_SERVICE\r\nandroid.permission.INTERNET\r\nandroid.permission.POST_NOTIFICATIONS\r\nandroid.permission.QUERY_ALL_PACKAGES\r\nandroid.permission.READ_PHONE_STATE\r\nandroid.permission.READ_PRIVILEGED_PHONE_STATE\r\nandroid.permission.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS\r\nandroid.permission.WAKE_LOCK\r\nWith the permissions given above, the malware in question is able to perform the following actions:\r\nInternet access\r\nAbility to use Accessibility service\r\nInstalling application\r\nAccess notifications\r\nRunning as a foreground service\r\nUpon execution, the malware requests activation of its accessibility service under the name of “Müzik”. It is\r\nobserved that the malware uses accessibility rights to press buttons on the screen, read user inputs such as user\r\nclicks, run applications, and monitor what users have typed in a certain text field.\r\nFigure 2: Accessibility service request\r\nAnti-Analysis Techniques\r\nThe malware uses the encrypted strings at runtime by decrypting them using the blowfish algorithm.(secret key:\r\n67d45d2f64)\r\nhttps://brandefense.io/blog/godfather-android-banking-trojan/\r\nPage 4 of 10\n\nFigure 3: Accessibility service request\r\nIt gets the command control address with the encrypted string in the description of a telegram account. This\r\nmethod is also often used by other malware.\r\nFigure 4: Telegram Description\r\nhttps://brandefense.io/blog/godfather-android-banking-trojan/\r\nPage 5 of 10\n\nAgain, it uses blowfish to decrypt this encrypted string. (key:ABC, IV:abcdefgh)\r\nFigure 5: Jump to the extracted malware payload\r\nApplication Runtime\r\nGodfather malware retrieves the list of target applications from the command and control server.\r\nFigure 6: Targeted Apps\r\nUnlike other malware (eg, cerberus, hook, ermac), the malware steals information by keylogging instead of using\r\nan overlay attack.\r\nhttps://brandefense.io/blog/godfather-android-banking-trojan/\r\nPage 6 of 10\n\nFigure 7: Keylogger\r\nFigure 8: Keylogger output\r\nTargeted Applications\r\ncom[.]tmobtech.halkbank\r\ncom[.]vakifbank.mobile\r\ncom[.]ziraat.ziraatmobil\r\ncom[.]akbank.android.apps.akbankdirekt\r\ncom[.]anadolubank.android\r\ncom[.]fibabanka.Fibabanka.mobile\r\ntr.com[.]sekerbilisim.mbank\r\ncom[.]teb\r\ncom[.]teb.kurumsal\r\ncom[.]pozitron.iscep\r\ncom[.]ykb.android\r\ntr[.]com[.]abank.dijital\r\ncom[.]a2a.android.burgan\r\nhttps://brandefense.io/blog/godfather-android-banking-trojan/\r\nPage 7 of 10\n\ncom[.]denizbank.mobildeniz\r\ncom[.]garanti.cepsubesi\r\ncom[.]ingbanktr.ingmobil\r\ncom[.]magiclick.odeabank\r\ncom[.]finansbank.mobile.cepsube\r\nfinansbank[.]enpara\r\nfinansbank[.]enpara.sirketim\r\ncom[.]kuveytturk.mobil\r\ncom[.]ziraatkatilim.mobilebanking\r\ncom[.]tfkb\r\ncom[.]albarakaapp\r\ncom[.]aktifbank.nkolay\r\ncom[.]fibabanka.mobile\r\ncom[.]ininal.wallet\r\ncom[.]intertech.mobilemoneytransfer.activity\r\ncom[.]isbank.isyerim\r\ncom[.]kuveytturk.yourbank\r\ncom[.]mobillium.papara\r\ncom[.]pttfinans\r\ncom[.]turkcell.paycell\r\ncom[.]vakifkatilim.mobil\r\npaladyum[.]peppara\r\ntr.com[.]hsbc.hsbcturkey.uk\r\ntr.com[.]param.android\r\nConclusion\r\nGodfather represents a serious instance of malicious software, carrying risks like financial loss and personal\r\nprivacy breaches. Users need to enhance their cybersecurity awareness and download from reputable sources.\r\nYou can find the IoCs on our GitHub repo.\r\nShare This:\r\nCategories\r\nAPT Groups\r\nBlog\r\nDark Web\r\nDRPS\r\nFraud\r\nRansomware\r\nSector Analysis\r\nSecurity News\r\nhttps://brandefense.io/blog/godfather-android-banking-trojan/\r\nPage 8 of 10\n\nVIP Security\r\nWe In The Press\r\nWeekly Newsletter\r\nLatest News\r\nMFA Doesn't Protect You — Cookies Give You Away: The Rise of Session Hijacking\r\nFake Mobile App: How Is Your Clone on the App Store Stealing Your Users?\r\nUAC-0102: Inside a Covert Espionage Operation Targeting Ukraine and Beyond\r\nhttps://brandefense.io/blog/godfather-android-banking-trojan/\r\nPage 9 of 10\n\nInside the Operations of Crazy Evil: The Rise of a Global Crypto-Focused Cybercrime Network\r\n1 Million User Records Exposed: A Deep Dive into the Komiko AI App Data Breach\r\nFollow Us on Social Media!\r\nSource: https://brandefense.io/blog/godfather-android-banking-trojan/\r\nhttps://brandefense.io/blog/godfather-android-banking-trojan/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://brandefense.io/blog/godfather-android-banking-trojan/"
	],
	"report_names": [
		"godfather-android-banking-trojan"
	],
	"threat_actors": [
		{
			"id": "61c16af3-1c0e-449d-bc0e-60ae3f49dd9f",
			"created_at": "2024-07-28T02:00:04.69478Z",
			"updated_at": "2026-04-10T02:00:03.681909Z",
			"deleted_at": null,
			"main_name": "UAC-0102",
			"aliases": [],
			"source_name": "MISPGALAXY:UAC-0102",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434649,
	"ts_updated_at": 1775826779,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4a474c899be62df0afbcf7c0ad4045a556c4ce6e.pdf",
		"text": "https://archive.orkl.eu/4a474c899be62df0afbcf7c0ad4045a556c4ce6e.txt",
		"img": "https://archive.orkl.eu/4a474c899be62df0afbcf7c0ad4045a556c4ce6e.jpg"
	}
}