{ "id": "1353b281-f03c-4b66-97e1-d5361d8ac87e", "created_at": "2026-04-06T00:21:33.508516Z", "updated_at": "2026-04-10T03:21:27.96849Z", "deleted_at": null, "sha1_hash": "7b47dad6cbbfe6a1d54b9f6ae63b4e35ded2b4aa", "title": "GodFather Malware Targets 500 Banking \u0026 Crypto Apps Worldwide", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2429390, "plain_text": "GodFather Malware Targets 500 Banking \u0026 Crypto Apps\r\nWorldwide\r\nPublished: 2024-11-06 · Archived: 2026-04-05 16:09:29 UTC\r\nGodFather Malware Expands Its Reach, Targeting 500 Banking And Crypto Applications Worldwide\r\nGodFather Malware Expands Its Reach, Targeting 500 Banking And Crypto\r\nApplications Worldwide\r\nCyble analyzes the latest iteration of the GodFather Android banking trojan, which targets over 500\r\ncryptocurrency and banking applications and has expanded its reach to Japan, Greece, Singapore, and Azerbaijan.\r\nKey Takeaways\r\nCyble Research and Intelligence Labs (CRIL) has identified a new variant of the GodFather malware, now\r\ntargeting 500 banking and cryptocurrency apps.\r\nInitially focused on regions like the UK, US, Turkey, Spain, and Italy, GodFather has expanded its reach to\r\ninclude Japan, Singapore, Greece, and Azerbaijan.\r\nThe GodFather malware has transitioned the Java code implementation to the Native code for its malicious\r\nactivities.\r\nIn its latest version, the GodFather malware uses limited permissions, relying heavily on Accessibility\r\nservices to capture credentials from targeted applications.\r\nThis updated variant also includes new commands that enable the malware to automate gestures on infected\r\ndevices, mimicking user actions.\r\nThe Threat Actor(TA) behind GodFather malware uses a phishing site to deliver the suspicious app and\r\ntracks visitor counts to plan further activity.\r\nOverview\r\nCyble Research and Intelligence Labs (CRIL) recently identified a phishing site, “mygov-au[.]app,” masquerading\r\nas the official MyGov website of the Australian Government. Upon further analysis, this site was found to be\r\ndistributing a suspicious APK file linked to the GodFather Malware, known for its ability to steal banking\r\napplication credentials.\r\nWorld's Best AI-Native Threat Intelligence\r\nhttps://cyble.com/blog/godfather-malware-targets-500-banking-and-crypto-apps-worldwide/\r\nPage 1 of 12\n\nFigure 1 – Phishing site impersonating myGov website distributing APK file\r\nThe downloaded application, “MyGov.apk”, communicates with the URL “hxxps://az-inatv[.]com/.” This app is\r\nprogrammed to track the number of devices it is installed on, retrieve the device’s IP address, and store this\r\ninformation on the server in a text file. Figures 3 and 4 show the code of index.php and count.php responsible for\r\ngetting the count and IP address.\r\nFigure 2 – Malware loading URL, which maintains the counter\r\nhttps://cyble.com/blog/godfather-malware-targets-500-banking-and-crypto-apps-worldwide/\r\nPage 2 of 12\n\nFigure 3 – Getting counts and IP addresses\r\nFigure 4 – Getting the IP address of an infected device\r\nhttps://cyble.com/blog/godfather-malware-targets-500-banking-and-crypto-apps-worldwide/\r\nPage 3 of 12\n\nThe URL “hxxps://az-inatv[.]com/” hosted an open directory containing a file named counters.zip, which\r\nincluded the total count of infected devices and a list of IP addresses. Additionally, the directory featured a page\r\nlabeled “down” that hosted another APK file called “lnat Tv Pro 2024.apk.” Upon analyzing this APK, it was\r\nidentified as the GodFather Malware.\r\nFigure 5 – Open directory hosting counters.zip and GodFather malware\r\nUpon examining the counters.zip file, we found 151 counts in hit.txt and 59 unique IP addresses, reflecting the\r\ntargeted device count. While the MyGov application collected this data, we suspect the TA may leverage this\r\nvisitor information to identify potential victim counts and later use the same website to distribute the GodFather\r\nmalware.\r\nFigure 6 – Counters.zip content\r\nhttps://cyble.com/blog/godfather-malware-targets-500-banking-and-crypto-apps-worldwide/\r\nPage 4 of 12\n\nNotably, we observed that the latest variant of the GodFather malware has moved from Java code to native code\r\nimplementation. It is now targeting 500 banking and cryptocurrency applications and expanding its reach to Japan,\r\nSingapore, Azerbaijan, and Greece. Further details on this new variant of GodFather are provided in the following\r\nsection.\r\nTechnical Details\r\nIn the latest version, the GodFather malware operates with minimal permissions, relying heavily on the\r\nAccessibility service to carry out its malicious activities.\r\nFigure 7 – Manifest with limited permissions\r\nNative Code Implementation\r\nStarting our analysis with the classes specified in the manifest file, we observed that the malware calls numerous\r\nnative methods, which were previously implemented in Java code.\r\nhttps://cyble.com/blog/godfather-malware-targets-500-banking-and-crypto-apps-worldwide/\r\nPage 5 of 12\n\nFigure 8 – Calls to native methods\r\nThese native functions implement various malicious capabilities, including loading an injection URL into the\r\nWebView, executing automated gestures, establishing connections with the Command and Control (C\u0026C) server,\r\nand keylogging.\r\nFigure 9 – Native code implementation\r\nC\u0026C Server\r\nSimilar to the previous variant, the latest samples also connect to the Telegram URL\r\n“hxxps://t.me/gafaramotamer,” where the TA has embedded a Base64-encoded C\u0026C URL. The malware retrieves\r\nand decodes this URL to “hxxps://akozamora[.]top/z.php.”\r\nhttps://cyble.com/blog/godfather-malware-targets-500-banking-and-crypto-apps-worldwide/\r\nPage 6 of 12\n\nFigure 10 – Malware fetches C\u0026C server URL from Telegram Profile\r\nTargeting 500 Crypto and Banking Applications\r\nAfter decoding the URL, the malware begins communication by sending data such as the list of installed\r\napplication package names, the device’s default language, model name, and SIM name. In return, it receives a list\r\nof 500 targeted application package names associated with banking and cryptocurrency apps. In addition to\r\nprevious targets in the UK, US, Turkey, Spain, and Italy, GodFather has expanded its reach, now including Japan,\r\nSingapore, Greece, and Azerbaijan.\r\nFigure 11 – Receives the list of target application package names\r\nhttps://cyble.com/blog/godfather-malware-targets-500-banking-and-crypto-apps-worldwide/\r\nPage 7 of 12\n\nWhen the user tries to interact with the target application, the malware closes the genuine application. Instead, it\r\nloads a fake banking or crypto login URL into the WebView or displays a blank screen. It constructs the injection\r\nURL using the C\u0026C server “hxxps://akozamora[.]top/” and appends the endpoint “rx/f.php?f=” along with the\r\ndevice name, package name, and default language, then loads the assembled URL in the WebView.\r\nFigure 12 – Loading fake login pages\r\nThe GodFather malware has successfully replaced the traditional overlay attack with this technique. Rather than\r\nlaunching the legitimate application, the malware activates itself and loads a phishing page to steal banking\r\ncredentials.\r\nCommands Added In New Version\r\nThe previous version included commands for USSD and SMS operations, which have been removed in the latest\r\nversion. Additionally, this malware version lacks permission to collect or send SMS messages from the infected\r\ndevice. Instead, the newly added commands focus primarily on automating actions on the infected device. Below\r\nis a list of commands observed in the latest version of the GodFather malware.\r\nCommand Description\r\nclickposition Malware clicks on the position X and Y received from the server\r\nbacked Take the user to the previous screen\r\nhome Take the user to the home screen\r\nrecents Take the user to the recent screen\r\nscrollforward Malware scrolls the page forward using the given parameter\r\nscrollback It scrolls the page backward till using the provided parameter\r\nopencontrol Perform gestures on the target app\r\nhttps://cyble.com/blog/godfather-malware-targets-500-banking-and-crypto-apps-worldwide/\r\nPage 8 of 12\n\nsetpattern\r\nReceives some value from the server and saves it to a shared preference\r\nvariable “pc”\r\nscreenlight Manages the brightness of the screen\r\nsl2 Setting up a wake lock to keep the device awake\r\nsl3 Similar to sl2\r\nautopattern\r\nThe value received using “setpattern” command is used to insert on the device\r\nscreen using the accessibility service.\r\ncsn Set the timer to initiate the WebSocket connection\r\nswpfull Perform swipe operation\r\nupswp Perform swipe up\r\ndownswp Perform swipe down\r\nleftswp Perform left swipe\r\nrightswp Perform right swipe\r\nvncreset Not Implemented\r\nopnap Open the application whose package name is received from the server\r\ngif Loads Gif from link “hxxps://s6.gifyu.com/images/S8uz3.gif”\r\nopnsttings Opens setting app\r\nopnsound Opens sound setting\r\nopnmsc Opens notification setting\r\nopnpckg Not Implemented\r\nnotifyopen Opens notification using Accessibility service\r\nConclusion\r\nThe latest version of the GodFather malware shows how dangerous and adaptable mobile threats have become. By\r\nmoving to native code and using fewer permissions, the attackers have made GodFather harder to analyze and\r\nbetter at stealing sensitive information from banking and cryptocurrency apps. With its new automated actions and\r\nbroader targeting of apps in more countries, this malware poses a growing risk to users worldwide. Staying alert\r\nand using strong security practices on mobile devices is essential to avoid falling victim to threats like GodFather.\r\nOur Recommendations\r\nhttps://cyble.com/blog/godfather-malware-targets-500-banking-and-crypto-apps-worldwide/\r\nPage 9 of 12\n\nWe have listed some essential cybersecurity best practices that create the first line of control against attackers. We\r\nrecommend that our readers follow the best practices given below:\r\nDownload and install software only from official app stores like Google Play Store or the iOS App Store.\r\nUse a reputed anti-virus and internet security software package on your connected devices, such as PCs,\r\nlaptops, and mobile devices.\r\nUse strong passwords and enforce multi-factor authentication wherever possible.\r\nEnable biometric security features such as fingerprint or facial recognition for unlocking the mobile device\r\nwhere possible.\r\nBe wary of opening any links received via SMS or emails delivered to your phone.\r\nEnsure that Google Play Protect is enabled on Android devices.\r\nBe careful while enabling any permissions.\r\nKeep your devices, operating systems, and applications updated.\r\nMITRE ATT\u0026CK® Techniques\r\nTactic Technique ID Procedure\r\nInitial Access\r\n(TA0027)\r\nPhishing (T1660) Malware distributing via phishing site\r\nExecution\r\n(TA0041)\r\nNative API (T1575)\r\nMalware using native code to drop\r\nfinal payload\r\nPersistence\r\n(TA0028)\r\nScheduled Task/Job (T1603)  \r\nUses timer to initiate WebSocket\r\nconnection\r\nDefense Evasion\r\n(TA0030)\r\nMasquerading: Match\r\nLegitimate Name or Location\r\n(T1655.001)\r\nMalware pretending to be a genuine\r\nMusic application\r\nDefense Evasion\r\n(TA0030)\r\nApplication Discovery\r\n(T1418)\r\nCollects installed application package\r\nname list to identify target\r\nDefense Evasion\r\n(TA0030)\r\nInput Injection (T1516)\r\nMalware can mimic user interaction,\r\nperform clicks and various gestures,\r\nand input data\r\nCollection\r\n(TA0035)\r\nInput Capture: Keylogging\r\n(T1417.001)\r\nMalware can capture keystrokes\r\nDiscovery\r\n(TA0032)\r\nSystem Information Discovery\r\n(T1426)\r\nThe malware collects basic device\r\ninformation.\r\nCommand and\r\nControl (TA0037)\r\nWeb Service: Dead Drop\r\nResolver (T1481.001)\r\nMalware communicates with\r\nTelegram to fetch C\u0026C server\r\nhttps://cyble.com/blog/godfather-malware-targets-500-banking-and-crypto-apps-worldwide/\r\nPage 10 of 12\n\nExfiltration\r\n(TA0036)\r\nExfiltration Over C2 Channel\r\n(T1646)\r\nSending exfiltrated data over C\u0026C\r\nserver\r\nIndicators of Compromise (IOCs)\r\nIndicators\r\nIndicator\r\nType\r\nDescription\r\nd8165712329fa120b5cc696514b5dd0d7043fbf7d6b6ef5f767348e0ba31aa6e\r\ne789b03b60ad99727ea65b52ce931482fb70814e\r\n87ccf62e07cf69c25a204bffdbc89630\r\nSHA256\r\nSHA1\r\nMD5\r\nAnalyzed\r\nGodFather\r\nmalware\r\nhxxps://akozamora[.]top/   URL C\u0026C server\r\nhxxps://t.me/gafaramotamer URL\r\nMalware\r\nfetching\r\nC\u0026C from\r\nTelegram\r\nURL\r\nhxxps://az-inatv[.]com URL\r\nURL\r\nhosting new\r\nGodFather\r\nvariant\r\nmygov-au[.]app Domain\r\nPhishing\r\ndomain\r\ndistributing\r\ncounter app\r\n8ae2fcc8bef4d9a0ae3d1ac5356dbd85a4f332ad497375cd217bd1e945e64692\r\nd57ef894b53f804c97d40c3e365faf729ce2ea7386b280f9909ebc8432008eee\r\nd508078368d8775fcfff5a7886392da57fcf757c89687f22c0504c3df9075b00\r\nb3d3019ed0a4602fb7e502e54ac12a59da1a0ed7b6736feb98ce7c417091b2e6\r\n3aa7e2353c2de16734f612eba7b43a2538d96f73702a6c25283d6ef0c9300a4c\r\n1ce2a392dd2c1df22dfeb080c7ad290d63e3afe983729927b2f15c6705861070\r\nd8165712329fa120b5cc696514b5dd0d7043fbf7d6b6ef5f767348e0ba31aa6e\r\nd8165712329fa120b5cc696514b5dd0d7043fbf7d6b6ef5f767348e0ba31aa6e\r\n0c9e2ae9c699374f06a6d38cf2ea41232fc8a712e110be8069b08659fdf50514\r\n19ed4f67710d455da42017de28688f5e55ed36809cc70252d825ac81713e95d1\r\n7b4543cc4df1fc57af2cd9a892b2fab3647bdceb027d576217724a8c012a2065\r\n2b1b527b87929a13f0c33391c641b3013da099fd7de10695d762da097bc13ffc\r\n2b1b527b87929a13f0c33391c641b3013da099fd7de10695d762da097bc13ffc\r\n72d40ff8ad114724b8d4e0350f81f797866c0f271844aeddc3b92f33faa6fbc0\r\nSHA256\r\nNew\r\nGodFather\r\nvariant\r\nhashes\r\nhttps://cyble.com/blog/godfather-malware-targets-500-banking-and-crypto-apps-worldwide/\r\nPage 11 of 12\n\nSource: https://cyble.com/blog/godfather-malware-targets-500-banking-and-crypto-apps-worldwide/\r\nhttps://cyble.com/blog/godfather-malware-targets-500-banking-and-crypto-apps-worldwide/\r\nPage 12 of 12\n\n https://cyble.com/blog/godfather-malware-targets-500-banking-and-crypto-apps-worldwide/ \nFigure 3-Getting counts and IP addresses \nFigure 4-Getting the IP address of an infected device\n Page 3 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://cyble.com/blog/godfather-malware-targets-500-banking-and-crypto-apps-worldwide/" ], "report_names": [ "godfather-malware-targets-500-banking-and-crypto-apps-worldwide" ], "threat_actors": [], "ts_created_at": 1775434893, "ts_updated_at": 1775791287, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7b47dad6cbbfe6a1d54b9f6ae63b4e35ded2b4aa.pdf", "text": "https://archive.orkl.eu/7b47dad6cbbfe6a1d54b9f6ae63b4e35ded2b4aa.txt", "img": "https://archive.orkl.eu/7b47dad6cbbfe6a1d54b9f6ae63b4e35ded2b4aa.jpg" } }