Report an incident

Get 24/7 incident response assistance from our global team

Talk to sales

Just fill out the form, and our representative will contact you soon.

Join the Cybercrime Fighters Club

Please review the following rules before submitting your application:

1. Our main objective is to foster a community of like-minded individuals dedicated to combatting cybercrime and who have never engaged in Blackhat activities.

2. All applications must include research or a research draft. You can find content criteria in the blog. Please provide a link to your research or research draft using the form below.

The Godfather enters: banking Trojan targets users of more than 400 apps in 16 countries

Media Center Press Releases
December 21, 2022 · 8 min to read
Godfather
Threat Intelligence
Trojan
Turkey
United States

Group-IB, one of the global cybersecurity leaders, has today presented its findings about Godfather, an Android banking Trojan that is currently being utilized by cybercriminals to attack users of leading banking and crypto exchange applications in 16 countries. To date, Godfather has targeted the users of more than 400 applications thanks to its ability to generate convincing web fakes and overlay them on the screens of infected devices when a user tries to open a targeted application. With this scheme, the threat actors leveraging Godfather attempt to steal victims’ login credentials and bypass two-factor authentication in order to gain access to victims’ accounts and drain their funds. During their research into this new Android Trojan, Group-IB’s Threat Intelligence team discovered that Godfather is a successor of Anubis, a widely-used banking Trojan whose functionalities were limited by Android updates and the prior efforts of malware detection and prevention providers.

It’s not personal, it’s strictly business

As of October 2022, 215 banks, 94 crypto wallet providers, and 110 crypto exchange platforms have been targeted by Godfather. The Trojan has also been used in a range of markets, as users in more than a dozen countries have been at risk of having their credentials stolen by threat actors leveraging Godfather. According to Group-IB’s findings, banking applications in the United States (49 companies), Turkey (31), Spain (30), Canada (22), France (20), Germany (19), and the United Kingdom (17), have been the most targeted by this particular Trojan. A full breakdown of Godfather’s scope can be found below:

Figure 1: Who and where Godfather targets

Interestingly, Group-IB found in Godfather’s code a functionality that stops the Trojan from attacking users who speak Russian or one of a number of languages used in the former Soviet Union, which could suggest that the developers of Godfather are Russian speaking. The Trojan does this by checking the system language of the infected device and shutting down if the language is one of: Russian, Azerbaijani, Armenian, Belarusian, Kazakh, Kyrgyz, Moldovan, Uzbek, or Tajik.

The Godfather’s playbook

To start analyzing Godfather, one must start with Anubis. Godfather is an upgraded version of the Anubis banking Trojan, whose source code was leaked back in 2019. Anubis’ functionalities were clipped by Android updates, meaning that malware developers looked for ways to update the Trojan to allow it to continue attacking unsuspecting users.

Group-IB found that both Anubis and Godfather have the same code base, but the latter’s control & command communication protocol and capabilities were updated. Godfather’s developers also modified Anubis’ traffic encryption algorithm, updated several functionalities such as Google Authenticator OTPs, and added a separate module for managing virtual network computing connections. Additionally, several functionalities found in Anubis, such as the ability of the Trojan to encrypt files, record audio, or parse GPS data, have been removed.

Analysts at Group-IB first detected Godfather in June 2021. Godfather stopped being circulated in June 2022, which Group-IB analysts believe was due to the malware being updated further. Godfather would eventually reappear in September 2022, now with slightly modified WebSocket functionality. A distinctive feature of the Trojan is that it can be distributed via a Malware-as-a-Service (MaaS) model, with this being discovered thanks to the real-time Telegram monitoring capabilities of Group-IB’s Threat Intelligence solution. Additionally, Group-IB researchers found that C&C addresses for Godfather were shared through Telegram channel descriptions, as was the case with Anubis.

Figure 2: A Telegram user asking for a review of the Godfather banking trojan

As of writing, there is still a lack of clarity on how exactly Godfather infects devices. However, Group-IB Threat Intelligence researchers discovered, through an analysis of the Trojan’s network infrastructure, a domain whose C&C address was that of an Android application. While Group-IB was unable to obtain the payload, analysts believe that a malicious application hosted on the Google Play Store contained the Godfather Trojan.

Figure 3: Godfather’s network infrastructure, as detailed by Group-IB’s Graph Network Analysis tool

Above is a screenshot of Group-IB’s patented Graph Network Analysis tool, a feature of Group-IB’s intelligence-driven Unified Risk Platform, that shows links between the C&C addresses of Godfather and the downloaded application (below).

Figure 4: A screenshot of the Google Play Store listing for the application found in Godfather’s network infrastructure (Source: @0xabc0)

Once Godfather is downloaded onto a device, the Trojan attempts to achieve persistence by imitating Google Protect, a legitimate program that runs once an individual downloads an application from the Play Store. The malware is able to emulate the legitimate Google application and indicates to the user that it is “scanning”. However, the malware is doing nothing of the sort. Instead, it creates a pinned “Google Protect” notification and hides its icon from the list of installed applications.

The malware, as “Google Protect”, also launches a service to request access to AccessibilityService, an Android feature used by developers to adapt their applications to users with disabilities. Access to AccessibilityService is also requested once the user presses the “Scan” button in the fake Google Protect application. With access to AccessibilityService, Godfather issues itself the necessary permissions and starts communicating with the C&C server.

Just when you thought you were out, Godfather pulls you back in

The user, who has no idea that their device is now infected with malware, goes about their daily business. At this point, Godfather kicks into action. A signature feature of Godfather, as with many other banking Trojans, is the use of web fakes, also known as HTML pages created by threat actors that display over legitimate applications. The user may interact with these web fakes at two stages: either when they open a legitimate application that is targeted by Godfather, or when they interact with a decoy notification spoofing a targeted banking or crypto application on the user’s device

The web fakes mimic the login pages for the legitimate applications, and all data that is entered into the fake HTML pages, such as usernames and passwords, is exfiltrated to C&C servers. The threat actors harvest these credentials and then use them to enter the legitimate applications, with the help of Godfather’s functionality to exfiltrate push notifications to harvest two-factor authentication codes, and drain the user’s accounts. While Group-IB does not have definitive data on the amount of money stolen by operators of Godfather, the methods harnessed by malicious actors are cause for concern.

Figure 5: HTML fakes contained in Godfather imitating targeted Turkish companies

Godfather’s functionalities also include:

  • Recording the screen of the victim’s device
  • Establishing VNC connections
  • Launching keyloggers
  • Exfiltrating push notifications (for bypassing two-factor authentication); preceding versions of the Trojan also exfiltrated SMS messages
  • Forwarding calls (for bypassing two-factor authentication)
  • Executing USSD requests
  • Sending SMS messages from infected devices
  • Launching proxy servers
  • Establishing WebSocket connections (added to the new, September 2022 version of Godfather).

“The emergence of Godfather underscores the ability of threat actors to edit and update their tools to maintain their effectiveness in spite of efforts by malware detection and prevention providers to update their products. Malicious actors can return to the source code, update out-of-date malware types, and in many ways make them even more dangerous. With a tool like Godfather, threat actors are limited only by their ability to create convincing web fakes for a particular application.”

Artem Grischenko
Artem Grischenko

Junior Malware Analyst at Group-IB

To minimize their risk of downloading banking Trojans such as Godfather, Group-IB’s Threat Intelligence team recommends users to always check for updates on their mobile devices, avoid downloading applications from sources other than the Google Play Store, ensure that they are downloading the legitimate, verified application from these sources, and check what permissions an application requests once it is downloaded.

Try Group-IB Threat Intelligence now!

Optimize strategic, operational and tactical decision-making with best-in-class cyber threat analytics

Request Threat Intelligence Demo Right Now

 

For organizations wishing to protect their customers from the attacks of threat actors, Group-IB recommends its Fraud Protection solution, which monitors user sessions and prevents malware from defrauding their clients. Group-IB’s Fraud Protection detects the latest fraud techniques, phishing preparation, and other types of attacks. In this way, Fraud Protection “catches” banking Trojans, detects unauthorized remote access, web injections, cross-channel attacks, and personal data collection. Group-IB’s solution implements patented algorithms that help detect infected devices without the client’s involvement and without the need to install additional software.

About Group-IB

Founded in 2003 and headquartered in Singapore, Group-IB is a leading creator of cybersecurity technologies to investigate, prevent, and fight digital crime. Combating cybercrime is in the company’s DNA, shaping its technological capabilities to defend businesses, citizens, and support law enforcement operations.

Group-IB’s Digital Crime Resistance Centers (DCRCs) are located in the Middle East, Europe, Central Asia, and Asia-Pacific to help critically analyze and promptly mitigate regional and country-specific threats. These mission-critical units help Group-IB strengthen its contribution to global cybercrime prevention and continually expand its threat-hunting capabilities.

Group-IB’s decentralized and autonomous operational structure helps it offer tailored, comprehensive support services with a high level of expertise. We map and mitigate adversaries’ tactics in each region, delivering customized cybersecurity solutions tailored to risk profiles and requirements of various industries, including retail, healthcare, gambling, financial services, manufacturing, crypto, and more.

The company’s global security leaders work in synergy with some of the industry’s most advanced technologies to offer detection and response capabilities that eliminate cyber disruptions agilely.

Group-IB’s Unified Risk Platform (URP) underpins its conviction to build a secure and trusted cyber environment by utilizing intelligence-driven technology and agile expertise that completely detects and defends against all nuances of digital crime. The platform proactively protects organizations’ critical infrastructure from sophisticated attacks while continuously analyzing potentially dangerous behavior all over their network.

The comprehensive suite includes the world’s most trusted Threat Intelligence, The most complete Fraud Protection, AI-powered Digital Risk Protection, Multi-layered protection with Managed Extended Detection and Response (XDR), All-infrastructure Business Email Protection, and External Attack Surface Management.

Furthermore, Group-IB’s full-cycle incident response and investigation capabilities have consistently elevated industry standards. This includes the 77,000+ hours of cybersecurity incident response completed by our sector-leading DFIR Laboratory, more than 1,400 successful investigations completed by the High-Tech Crime Investigations Department, and round-the-clock efforts of CERT-GIB.

Time and again, its solutions and services have been revered by leading advisory and analyst agencies such as Aite Novarica, Gartner®, Forrester, Frost & Sullivan, KuppingerCole Analysts AG, and more.

Being an active partner in global investigations, Group-IB collaborates with international law enforcement organizations such as INTERPOL, EUROPOL and AFRIPOL to create a safer cyberspace. Group-IB is also a member of the Europol European Cybercrime Centre’s (EC3) Advisory Group on Internet Security, which was created to foster closer cooperation between Europol and its leading non-law enforcement partners.

Read next
Top Women in Security ASEAN Awards 2025
November 13, 2025
Group-IB’s High-Tech Crime Investigations team triumphs at Top Women in Security ASEAN Awards 2025
October 21, 2025
Group-IB launches Asia-Pacific’s first Cyber Fusion Center in Singapore
October 9, 2025
Group-IB Intelligence Powers Spanish Guardia Civil Operation to Dismantle the “GXC Team” Cybercrime Syndicate
September 30, 2025
Group-IB and Cyber Samurai join forces to enhance cyber resilience in the DACH region
September 26, 2025
Group-IB supports INTERPOL’s “Operation Contender 3.0”, leading to the arrest of 260 suspects in Africa
September 25, 2025
Group-IB Unites Partners to Strengthen Turkey’s Cybersecurity Landscape
Go to all Press Releases →