{
	"id": "946c4918-e5cb-4f4c-b140-7691636f1342",
	"created_at": "2026-04-06T00:19:09.334696Z",
	"updated_at": "2026-04-10T03:20:28.484013Z",
	"deleted_at": null,
	"sha1_hash": "93f01616736221e1822c80df440a6a986c409cb0",
	"title": "Godfather Banking Trojan Spawns 1.2K Samples Across 57 Countries",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 808120,
	"plain_text": "Godfather Banking Trojan Spawns 1.2K Samples Across 57\r\nCountries\r\nBy Nate Nelson\r\nPublished: 2024-04-25 · Archived: 2026-04-05 21:05:55 UTC\r\n3 Min Read\r\nSource: Wodthikorn Phutthasatchathum via Alamy Stock Photo\r\nNorth of 1,000 samples of the Godfather mobile banking Trojan are circulating in dozens of countries worldwide,\r\ntargeting hundreds of banking apps.\r\nFirst discovered in 2022, Godfather — which can record screens and keystrokes, intercepts two-factor\r\nauthentication (2FA) calls and texts, initiates bank transfers, and more — has quickly become one of the most\r\nwidespread malware-as-a-service offerings in cybercrime, especially mobile cybercrime. According to\r\nZimperium's 2023 \"Mobile Banking Heists Report,\" as of late last year, Godfather was targeting 237 banking apps\r\nspread across 57 countries. Its affiliates exfiltrated stolen financial information to at least nine countries, primarily\r\nin Europe and including the US.\r\nAll that success drew attention, so, to prevent security software from spoiling the party, Godfather's developers\r\nhave been automatically generating new samples for their customers at a near industrial scale.\r\nhttps://www.darkreading.com/endpoint-security/godfather-banking-trojan-spawns-1k-samples-57-countries\r\nPage 1 of 3\n\nOther mobile malware developers across the spectrum have started doing the same thing. \"What we're seeing is\r\nthat malware campaigns are starting to get bigger and bigger,\" warns Nico Chiaraviglio, chief scientist at\r\nZimperium, who will host a session on this and other mobile malware trends at RSAC in May.\r\nBesides Godfather and other known families, Chiaraviglio is tracking an even bigger, still-under-wraps mobile\r\nmalware family with more than 100,000 unique samples in the wild. \"So that's crazy,\" he says. \"We haven't seen\r\nthat number of samples in a single malware before, ever. This is definitely a trend.\"\r\nBanking Trojans Spawn Hundreds of Samples\r\nMobile security is already lagging far behind security for desktops. \"In the '90s, no one was really using antivirus\r\non desktop computers, and that's kind of where we are now. Today, only one of four users are really using some\r\nsort of mobile protection. Twenty-five percent of devices are completely unprotected, compared with desktop, at\r\n85%,\" Chiaraviglio laments.\r\nMobile threats, meanwhile, are leveling up fast. One way they're doing so is by generating so many different\r\niterations that antivirus programs — which profile malware by their unique signatures — have trouble correlating\r\none infection with the next.\r\nConsider that at the time of its initial discovery in 2022, according to Chiaraviglio, there were fewer than 10\r\nsamples of Godfather in the wild. By the end of last year, that number had risen a hundredfold.\r\nIts developers have clearly been autogenerating unique samples for customers to help them avoid detection. \"They\r\ncould just be scripting everything — that would be a way to automate it. Another way would be to use large\r\nlanguage models, as code assistance can really speed up the development process,\" Chiaraviglio says.\r\nOther banking Trojan developers have followed the same approach, if at a lesser scale. In December, Zimperium\r\ntallied 498 samples of Godfather's close competitor, Nexus, 300 samples of Saderat, and 123 of PixPirate.\r\nCan Security Software Keep Up?\r\nSecurity solutions that tag malware by signature will find difficulty keeping track of hundreds and thousands of\r\nsamples per family.\r\n\"Maybe there is a lot of code reuse between different samples,\" Chiaraviglio says, something he suggests adaptive\r\nsolutions can use to correlate related malware with different signatures. Alternatively, instead of the code itself,\r\ndefenders can use artificial intelligence (AI) to focus on the behaviors of the malware. With a model that can do\r\nthat, Chiaraviglio says, \"it doesn't really matter how much you change the code or the way the application looks,\r\nwe will still be able to detect it.\"\r\nBut, he admits, \"at the same time, this is always a race. We do something [to adjust], then the attacker does\r\nsomething to evolve to our predictions. [For example], they can ask [a large language model] to mutate their code\r\nas much as it can. This would be the realm of polymorphic malware, which is not something that happens a lot on\r\nmobile, but we might start seeing way more of that.\"\r\nAbout the Author\r\nhttps://www.darkreading.com/endpoint-security/godfather-banking-trojan-spawns-1k-samples-57-countries\r\nPage 2 of 3\n\nContributing Writer\r\nNate Nelson is a journalist and scriptwriter. He writes for \"Darknet Diaries\" — the most popular podcast in\r\ncybersecurity — and co-created the former Top 20 tech podcast \"Malicious Life.\" Before joining Dark Reading,\r\nhe was a reporter at Threatpost.\r\nSource: https://www.darkreading.com/endpoint-security/godfather-banking-trojan-spawns-1k-samples-57-countries\r\nhttps://www.darkreading.com/endpoint-security/godfather-banking-trojan-spawns-1k-samples-57-countries\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.darkreading.com/endpoint-security/godfather-banking-trojan-spawns-1k-samples-57-countries"
	],
	"report_names": [
		"godfather-banking-trojan-spawns-1k-samples-57-countries"
	],
	"threat_actors": [],
	"ts_created_at": 1775434749,
	"ts_updated_at": 1775791228,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/93f01616736221e1822c80df440a6a986c409cb0.pdf",
		"text": "https://archive.orkl.eu/93f01616736221e1822c80df440a6a986c409cb0.txt",
		"img": "https://archive.orkl.eu/93f01616736221e1822c80df440a6a986c409cb0.jpg"
	}
}