{
	"id": "34462546-b14a-4383-a4bc-8b5158bb44a9",
	"created_at": "2026-04-06T01:32:11.482423Z",
	"updated_at": "2026-04-10T13:12:40.006234Z",
	"deleted_at": null,
	"sha1_hash": "b527c0501d340b0463c5f6df9d6a495e524e64a2",
	"title": "Godfather Malware Returns: Targeting Banking Users and Online Security",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1236901,
	"plain_text": "Godfather Malware Returns: Targeting Banking Users and Online\r\nSecurity\r\nBy cybleinc\r\nPublished: 2022-12-20 · Archived: 2026-04-06 00:12:00 UTC\r\nCyble analyzes GodFather, an android malware impersonating as MYT application to steal users' sensitive\r\ninformation.\r\nAndroid Malware Mimics MYT Müzik App to Target Turkish Users\r\nGodFather is a notorious Android banking trojan known for targeting banking users, mostly in European countries.\r\nCyble Research \u0026 Intelligence Labs (CRIL) blogged about this GodFather android malware in March 2022 and\r\nexplained how it targeted android banking users worldwide. Recently, CRIL identified several GodFather Android\r\nsamples masquerading as MYT application. This application has the name MYT Müzik which is written in the\r\nTurkish language. Thus, we suspect this application targets Android users in Turkey.\r\nThe GodFather samples analyzed are encrypted using custom encryption techniques to evade detection by the anti-virus products. Upon installing this application on our testing device, we observed that it uses an icon and name\r\nsimilar to a legitimate application named MYT Music which is hosted on the Google Play Store with more than 10\r\nmillion downloads. The image below shows the malicious application’s icon and name on the Android device’s\r\nscreen.\r\nSee Cyble in Action\r\nWorld's Best AI-Native Threat Intelligence\r\nhttps://blog.cyble.com/2022/12/20/godfather-malware-returns-targeting-banking-users/\r\nPage 1 of 8\n\nFigure 1 – App Icon and Name Displayed on the Device Screen\r\nThe GodFather Android malware, after successful installation on the victim’s device, steals sensitive data such as\r\nSMSs, basic device details, including installed apps data, and the device’s phone number. Apart from these, it can\r\nalso control the device screen using VNC, forwarding incoming calls of the victim’s device and injecting banking\r\nURLs.\r\nTechnical Analysis\r\nAPK Metadata Information\r\nApp Name: MYT Müzik\r\nPackage Name: com.expressvpn.vpn\r\nSHA256 Hash: 138551cd967622832f8a816ea1697a5d08ee66c379d32d8a6bd7fca9fdeaecc4\r\nFigure 2 shows the metadata information of an application.\r\nhttps://blog.cyble.com/2022/12/20/godfather-malware-returns-targeting-banking-users/\r\nPage 2 of 8\n\nFigure 2 – App Metadata Information\r\nManifest Description\r\nThe malware requests 23 different permissions from the user, out of which it abuses at least 6. These dangerous\r\npermissions are listed below:\r\nPermissions Description\r\nREAD_CONTACTS Access phone contacts\r\nREAD_PHONE_STATE\r\nAllows access to phone state, including the current\r\ncellular network information, the phone number and the\r\nserial number of the phone, the status of any ongoing\r\ncalls, and a list of any Phone Accounts registered on the\r\ndevice.\r\nCALL_PHONE\r\nAllows an application to initiate a phone call without\r\ngoing through the Dialer user interface for the user to\r\nconfirm the call.\r\nWRITE_EXTERNAL_STORAGE\r\nAllows the app to write or delete files in the device’s\r\nexternal storage\r\nDISABLE_KEYGUARD\r\nAllows the app to disable the keylock and any associated\r\npassword security\r\nBIND_ACCESSIBILITY_SERVICE Used for Accessibility Service\r\nSource Code Review\r\nThe malicious application uses the code below to hide/unhide its icon from the device screen.\r\nFigure 3 – Code to Hide/Unhide Icon\r\nhttps://blog.cyble.com/2022/12/20/godfather-malware-returns-targeting-banking-users/\r\nPage 3 of 8\n\nThe below image shows the code snippet used by the malware for collecting Victim’s device details, such as device\r\nmodel info, installed apps list, etc., and uploading them to the TAs’ server.\r\nFigure 4 – Code to Collect Basic Device Info\r\nThe malware can do money transfers by making USSD (Unstructured Supplementary Service Data) calls without\r\nusing the dialer user interface, as shown in the figure below.\r\nFigure 5 – Code to Transfer Money using USSD\r\nThe malware creates an overlay window in the OnAccessibilityEvent method and injects HTML phishing pages when\r\nit receives sunset_cmd from the TAs C\u0026Cserver, as shown in the below image.\r\nFigure 6 – Code to Inject HTML Pages\r\nhttps://blog.cyble.com/2022/12/20/godfather-malware-returns-targeting-banking-users/\r\nPage 4 of 8\n\nUpon receiving the command from the C\u0026C server, the malware forwards Victim’s incoming calls to a number\r\nprovided by the TAs’.\r\nFigure 7 – Code to Forward Victim’s Incoming Calls\r\nThe image shown below contains the code through which the malware can steal application key logs.\r\nFigure 8 – Code to Steal Key Logs\r\nThe malware uses the below-shown code to view/control the victim device’s screen using a VNC viewer.\r\nFigure 9 – Code to Monitor Victim Device’s Screen\r\nThe malicious application gets the C\u0026C server URL from a telegram channel: hxxps://t[.]me/varezotukomirza,\r\nthrough which it communicates with the TAs to get the commands and sends the stolen data from the device.\r\nFigure 10 – Malware Gets C\u0026C URL from Telegram Channel\r\nThe malware terminates itself after receiving a “killbot” command from TAs C\u0026C server. The below-shown code\r\nsnippet depicts the same.\r\nFigure 11 – Code to Terminate Itself\r\nThe malware uses the below commands to extract sensitive information from the user’s device.\r\nhttps://blog.cyble.com/2022/12/20/godfather-malware-returns-targeting-banking-users/\r\nPage 5 of 8\n\nCommand-List\r\nstartUSSD\r\nsentSMS\r\nstartApp\r\nstartforward\r\nkillbot\r\nsend_all_permission\r\nvnc_open\r\nkeylog_active\r\nunlock_screen\r\nsunset\r\nstartscreen\r\nConclusion\r\nGodFather Android Banking trojan was seen targeting European users at the beginning of the year 2022. Now, it\r\ncomes back with advanced encryption techniques used to obfuscate its code. This shows the TA’s ability to\r\ncontinuously enhance their techniques to target people with avoiding detections from Anti-virus programs.\r\nAs per the research, such malware is distributed via sources other than Google Play Store. As a result, practicing\r\nbasic cyber hygiene across mobile devices and online banking applications effectively prevents such malware from\r\ncompromising your devices.\r\nOur Recommendations\r\nWe have listed some essential cybersecurity best practices that create the first line of control against attackers. We\r\nrecommend that our readers follow the best practices given below:  \r\nHow to prevent malware infection?\r\nDownload and install software only from official app stores like Google Play Store or the iOS App Store.\r\nUse a reputed anti-virus and internet security software package on your connected devices, such as PCs,\r\nlaptops, and mobile devices.\r\nUse strong passwords and enforce multi-factor authentication wherever possible.\r\nEnable biometric security features such as fingerprint or facial recognition for unlocking the mobile device\r\nwhere possible.\r\nBe wary of opening any links received via SMS or emails delivered to your phone.\r\nEnsure that Google Play Protect is enabled on Android devices.\r\nhttps://blog.cyble.com/2022/12/20/godfather-malware-returns-targeting-banking-users/\r\nPage 6 of 8\n\nBe careful while enabling any permissions.\r\nKeep your devices, operating systems, and applications updated.\r\nHow to identify whether you are infected?\r\nRegularly check the Mobile/Wi-Fi data usage of applications installed on mobile devices.\r\nKeep an eye on anti-viruses and Android OS alerts and take necessary actions accordingly.\r\nWhat to do when you are infected?t\r\nDisable Wi-Fi/Mobile data and remove SIM cards – as in some cases, the malware can re-enable the Mobile\r\nData.\r\nPerform a factory reset.\r\nRemove the application in case a factory reset is not possible.\r\nTake a backup of personal media Files (excluding mobile applications) and perform a device reset.\r\nWhat to do in case of any fraudulent transaction?\r\nIn case of a fraudulent transaction, immediately report it to the concerned bank.\r\nWhat should banks do to protect their customers?\r\nBanks and other financial entities should educate customers on safeguarding themselves from malware attacks\r\nvia telephone, SMS, or emails.\r\nMITRE ATT\u0026CK® Techniques\r\nTactic Technique ID Technique Name\r\nInitial Access T1476 Deliver Malicious App via Other Means.\r\nInitial Access T1444 Masquerade as a Legitimate Application\r\nExecution T1575 Native Code\r\nCollection T1513 Screen Capture\r\nCommand and Control\r\nT1436\r\nT1616\r\nCommonly Used Port\r\nCall Control\r\nIndicators of Compromise (IOCs)\r\nIndicators\r\nIndicator\r\nType\r\nDescription\r\n40a099d574cd588903d9cf8701da8d006e58be406049d26a61cc291720270b60\r\nda021a501372f8de9a1d2c11802ec452f218a1c3fd39356151acae076c3304ff\r\n76cd894001f01f56299079b7eace162947b51b8b3a587c26709613e42279b850\r\nSHA256 Malicious\r\nAPK\r\nhttps://blog.cyble.com/2022/12/20/godfather-malware-returns-targeting-banking-users/\r\nPage 7 of 8\n\ne6fb245a7dd02af549e2d62f42413dcacda0fb847ee84d52b0f69c8219f3e81d\r\ne67b8b78550396f542ded77d2118487ac1afb0d4ac6b70774889bbb4e6d88265\r\nb58b9a2ba58813ad4fbf2f6349a522f9a49bf8b3190237eb9c43c1d085f4497e\r\n3f7eae6cc61fdc2553a2acdede69be84945a7a724b632dea3ff8466f74b56249\r\n8d07967b9253951b52c631383a3dde8513572b3c996c338819f4e12a7a60bf23\r\n7d9d89371f0409660136ad7a238e345b140b9359fae186814ec9572996f373a6\r\n536e9a5b341eb6e0708e58f65679232513b2896674b8b2615ff93c58fe1dbcf9\r\n50df8248535002052622f00b691bd60ad735e16e685a9d7b95a0850dc4229ad3\r\n363eb5d89b43946a4af03e2399e47125bec822729d764b08004eb492212d51db\r\n138551cd967622832f8a816ea1697a5d08ee66c379d32d8a6bd7fca9fdeaecc4\r\n0932a99030a80786f8215e5cb5c879708848bd62141ff4672e23823ddc562ac7\r\n06b0bebc1422a969ef10a0f13fb253b0697d079d7126551370b9757da6564c9d\r\nd981bccfde804bb662e4acb1e7a97298b4a081c02b498a01abfeec74a60b8fdc\r\n61e67d1ce1577d5a08d0ae970ac20fa5f0b8db3660b6c6c83189130be3039675\r\n93a8d9d57a816b1c0401660256db8e37d29a92a43cd7d9668f9d05db820aa572\r\n896301f184ff67a0fa9570e4275eafe66ab907636e381b86b87d28532aea0c82\r\n55183db5a190f08ce9e1589b2b7186ce64523c85c2c8b2ea03c52315b529b451\r\n32c7ef93f3329709bf38b7d6ea5f076fb8bd86d36785ed811d99efcb98f8ae58\r\nhxxps://t[.]me/varezotukomirza URL\r\nTelegram\r\nChannel\r\nHosting\r\nEncrypted\r\nC\u0026C\r\nServer\r\nSource: https://blog.cyble.com/2022/12/20/godfather-malware-returns-targeting-banking-users/\r\nhttps://blog.cyble.com/2022/12/20/godfather-malware-returns-targeting-banking-users/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.cyble.com/2022/12/20/godfather-malware-returns-targeting-banking-users/"
	],
	"report_names": [
		"godfather-malware-returns-targeting-banking-users"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775439131,
	"ts_updated_at": 1775826760,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b527c0501d340b0463c5f6df9d6a495e524e64a2.pdf",
		"text": "https://archive.orkl.eu/b527c0501d340b0463c5f6df9d6a495e524e64a2.txt",
		"img": "https://archive.orkl.eu/b527c0501d340b0463c5f6df9d6a495e524e64a2.jpg"
	}
}