{
	"id": "21723712-ace3-44c0-867d-29c74f245667",
	"created_at": "2026-04-06T00:07:56.706131Z",
	"updated_at": "2026-04-10T13:13:02.971234Z",
	"deleted_at": null,
	"sha1_hash": "8e93bef904b89b8f70fa576f0a663c5767430e1c",
	"title": "Cyble - GodFather Malware Under The Lens",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 933767,
	"plain_text": "Cyble - GodFather Malware Under The Lens\r\nPublished: 2022-03-23 · Archived: 2026-04-05 14:59:04 UTC\r\nAndroid Malware Targeting Banking Users Across Europe\r\nDuring our routine Open-Source Intelligence (OSINT) research, Cyble Research Labs came across a Twitter post\r\nwherein researchers mention an Android bankbot named GodFather with the name apkversion1.1.5.43 and an icon\r\nsimilar to the default Settings app.\r\nWe found notable similarities with Cereberus and Medusa banking trojans upon analyzing the malware sample.\r\nGodFather malware acts on the commands from Threat Actor’s (TA’s) Command \u0026 Control (C\u0026C) server to steal\r\nsensitive information from the victim’s device.\r\nUpon successful execution, the malware can perform malicious activities such as transferring money, getting\r\ndevice information such as phone number, installed app list, battery info, etc.\r\nWorld's Best AI-Native Threat Intelligence\r\nBy further abusing the permissions on the affected device, the malware can also steal SMSs, control device screen\r\nusing VNC, forward calls, and open URLs without the user’s knowledge.\r\nTechnical Analysis\r\nAPK Metadata Information\r\nApp Name:  apkversion1.1.5.43\r\nPackage Name: com.rduzmauwns.jieliysagr\r\nSHA256 Hash: 0b72c22517fdefd4cf0466d8d4c634ca73b7667d378be688efe131af4ac3aed8\r\nhttps://blog.cyble.com/2022/03/23/godfather-malware-under-the-lens/\r\nPage 1 of 9\n\nFigure 1 shows the metadata information of an application.\r\nFigure 1 – App Metadata Information\r\nThe figure below shows the application icon and name displayed on the Android device.\r\nhttps://blog.cyble.com/2022/03/23/godfather-malware-under-the-lens/\r\nPage 2 of 9\n\nFigure 2 – App Icon and Name\r\nManifest Description\r\nThe malware requests users for 23 different permissions, out of which it abuses 11. These dangerous permissions\r\nare listed below.\r\nPermissions Description\r\nRead_SMS Access SMSs from the victim’s device.\r\nRECEIVE_SMS Intercept SMSs received on the victim’s device\r\nREAD_CONTACTS Access phone contacts\r\nREAD_PHONE_STATE\r\nAllows access to phone state, including the current\r\ncellular network information, the phone number and\r\nthe serial number of the phone, the status of any\r\nongoing calls, and a list of any Phone Accounts\r\nregistered on the device.\r\nRECORD_AUDIO\r\nAllows the app to record audio with the microphone,\r\nwhich attackers can potentially misuse.\r\nSEND_SMS Allows an application to send SMS messages.\r\nCALL_PHONE\r\nAllows an application to initiate a phone call without\r\ngoing through the dialer user interface for the user to\r\nconfirm the call.\r\nWRITE_EXTERNAL_STORAGE\r\nAllows the app to write or delete files in the device’s\r\nexternal storage\r\nWRITE_SMS Allows the app to modify or delete SMSs\r\nDISABLE_KEYGUARD\r\nAllows the app to disable the keylock and any\r\nassociated password security\r\nBIND_ACCESSIBILITY_SERVICE Used for Accessibility Service\r\nWe observed a defined launcher activity in the malicious app’s manifest file, which loads the application’s first\r\nscreen, as shown below.\r\nhttps://blog.cyble.com/2022/03/23/godfather-malware-under-the-lens/\r\nPage 3 of 9\n\nFigure 3 Launcher Activity\r\nSource Code Review\r\nDuring our analysis, we observed that the malware initially requests the victims to enable Accessibility, and then it\r\nhides its icon from the Android device’s screen.\r\nThe malware uses the code snippet shown in the below image to hide its icon from the device screen.\r\nFigure 4 – Code to Hide Icon\r\nThe malware calls the SendNewUser() method to get the victim’s device details and post them to the TA’s C\u0026C\r\nserver, as shown in Figure 5.\r\nFigure 5 – Code to Get New Victim’s Info\r\nThe malware can perform money transfers by making USSD (Unstructured Supplementary Service Data) calls\r\nwithout using the dialer user interface, as shown in the below code snippet.\r\nFigure 6 – Code to Transfer Money through USSD\r\nhttps://blog.cyble.com/2022/03/23/godfather-malware-under-the-lens/\r\nPage 4 of 9\n\nThe malware also uses the method SmsSender() to send multi-part text-based SMSs, as shown below. This is done\r\nto bypass character limitations while sending SMSs.\r\nFigure 7 – Code to Send SMS\r\nThe below code snippet represents the malware’s ability to steal SMSs present in the victim’s device.\r\nFigure 8 – Code to Steal Text SMSs\r\nThe malware uses the method callForward() – which forwards the victim’s incoming calls to a number provided\r\nby TAs C\u0026C server, as shown in the below figure.\r\nFigure 9 – Code to Forwarding Calls\r\nhttps://blog.cyble.com/2022/03/23/godfather-malware-under-the-lens/\r\nPage 5 of 9\n\nThe method linkopen() provides the feature to the malware to open URLs in the device browser without the user’s\r\nintervention, as shown in Figure 10.\r\nFigure 10 – Code to Open URL in Browser\r\nFigure 11 demonstrates the code that illustrates the malware’s ability to steal application key logs.\r\nFigure 11 – Code to Steal Application Keylogs\r\nThe malware also uses VNC Viewer to remotely view/control the screens of an infected device, as shown below.\r\nFigure 12 – Uses VNC Viewer to Control Device Screen\r\nThe malware fetches the C\u0026C URL from the Telegram channel hxxps://t[.]me/dobrynyanikitichsobre, which will\r\nsend the sensitive data from the victim’s device as shown in Figure 13. While analysing the sample, we could not\r\nobserve any C\u0026C communication activity as the malware failed to get the C\u0026C URL from the Telegram channel.\r\nFigure 13 – Gets C\u0026C URL from Telegram Channel\r\nThe malware can also terminate itself whenever it gets the corresponding commands from the C\u0026C server.\r\nFigure 14 – Code to Self-Terminate\r\nBelow, we have listed the commands used by the TAs to control infected devices:\r\nCommand Description\r\nstartUSSD To Transfer money using USSD\r\nhttps://blog.cyble.com/2022/03/23/godfather-malware-under-the-lens/\r\nPage 6 of 9\n\nsentSMS To Send SMS to a particular number\r\nstartApp To Launch the Application Activity\r\ngetSMS To Get SMSs Present in the Device\r\nstartforward To forwarding Calls\r\nlinkopen To Open URL in Browser\r\nkillbot To Kill Itself\r\nConclusion\r\nBanking threats are increasing with every passing day and growing in sophistication. The GodFather malware\r\nvariant is one such example. The malicious code present in the malware gives it the capability to steal sensitive\r\ninformation from the compromised device.\r\nThere is also the additional threat of TAs using this sensitive data to commit financial fraud and further propagate\r\nthe malware to other devices.\r\nOur Recommendations\r\nWe have listed some essential cybersecurity best practices that create the first line of control against attackers. We\r\nrecommend that our readers follow the best practices given below:  \r\nHow to prevent malware infection?\r\nDownload and install software only from official app stores like Google Play Store or the iOS App Store.\r\nUse a reputed anti-virus and internet security software package on your connected devices, such as PCs,\r\nlaptops, and mobile devices.\r\nUse strong passwords and enforce multi-factor authentication wherever possible.\r\nEnable biometric security features such as fingerprint or facial recognition for unlocking the mobile device\r\nwhere possible.\r\nBe wary of opening any links received via SMS or emails delivered to your phone.\r\nEnsure that Google Play Protect is enabled on Android devices.\r\nBe careful while enabling any permissions.\r\nKeep your devices, operating systems, and applications updated.\r\nHow to identify whether you are infected?\r\nRegularly check the Mobile/Wi-Fi data usage of applications installed in mobile devices.\r\nKeep an eye on the alerts provided by Anti-viruses and Android OS and take necessary actions accordingly.\r\nWhat to do when you are infected?\r\nhttps://blog.cyble.com/2022/03/23/godfather-malware-under-the-lens/\r\nPage 7 of 9\n\nDisable Wi-Fi/Mobile data and remove SIM card – as in some cases, the malware can re-enable the Mobile\r\nData.\r\nPerform a factory reset.\r\nRemove the application in case a factory reset is not possible.\r\nTake a backup of personal media Files (excluding mobile applications) and perform a device reset.\r\nWhat to do in case of any fraudulent transaction?\r\nIn case of a fraudulent transaction, immediately report it to the concerned bank.\r\nWhat should banks do to protect their customers?\r\nBanks and other financial entities should educate customers on safeguarding themselves from malware\r\nattacks via telephone, SMSs, or emails. \r\nMITRE ATT\u0026CK® Techniques\r\nTactic Technique ID Technique Name\r\nInitial Access T1476 Deliver Malicious App via Other Mean.\r\nInitial Access T1444 Masquerade as Legitimate Application\r\nExecution T1575 Native Code\r\nCollection T1412 Capture SMS Messages\r\nCommand and Control T1436 Commonly Used Por\r\nIndicators of Compromise (IOCs)  \r\nIndicators\r\nIndicator\r\nType\r\nDescription\r\n0b72c22517fdefd4cf0466d8d4c634ca73b7667d378be688efe131af4ac3aed8 SHA256\r\nGodFather\r\nAPK\r\n3fa48a36d22d848ad111b246ca94fa58088dbb7a SHA1\r\nGodFather\r\nAPK\r\nec9f857999b4fc3dd007fdb786b7a8d1 MD5\r\nGodFather\r\nAPK\r\nc79857015dbf220111e7c5f47cf20a656741a9380cc0faecd486b517648eb199 SHA256\r\nGodFather\r\nAPK\r\nhttps://blog.cyble.com/2022/03/23/godfather-malware-under-the-lens/\r\nPage 8 of 9\n\n2b3b78d3a62952dd88fc4da4688928ec6013af71 SHA1\r\nGodFather\r\nAPK\r\nd7118d3d6bf476d046305be1e1f9b388 MD5\r\nGodFather\r\nAPK\r\nhxxps://t[.]me/dobrynyanikitichsobre URL\r\nTelegram\r\nChannel\r\nUsed to\r\nFetch URL\r\nSource: https://blog.cyble.com/2022/03/23/godfather-malware-under-the-lens/\r\nhttps://blog.cyble.com/2022/03/23/godfather-malware-under-the-lens/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.cyble.com/2022/03/23/godfather-malware-under-the-lens/"
	],
	"report_names": [
		"godfather-malware-under-the-lens"
	],
	"threat_actors": [],
	"ts_created_at": 1775434076,
	"ts_updated_at": 1775826782,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8e93bef904b89b8f70fa576f0a663c5767430e1c.pdf",
		"text": "https://archive.orkl.eu/8e93bef904b89b8f70fa576f0a663c5767430e1c.txt",
		"img": "https://archive.orkl.eu/8e93bef904b89b8f70fa576f0a663c5767430e1c.jpg"
	}
}