1. Home
  2. Software
  3. GodFather

GodFather

GodFather is an Android banking malware that uses virtualization to mimic legitimate applications and abuses accessibility services and other permissions to evade detection and exfiltrate sensitive data. First identified in 2020, GodFather targets nearly 500 banking applications, cryptocurrency wallets, and exchanges worldwide; however, its virtualization-based attacks have primarily focused on several Turkish financial institutions. This capability enables threat actors to steal banking credentials and other sensitive account information. [1][2]

ID: S1231
Type: MALWARE
Platforms: Android
Contributors: Google's Android Security team
Version: 1.0
Created: 29 August 2025
Last Modified: 24 October 2025
Version Permalink
Mobile Layer
download view

Techniques Used

Domain ID Name Use
Mobile T1453 Abuse Accessibility Features

GodFather has abused the accessibility service to prevent the user from uninstalling GodFather, to exfiltrate Google Authenticator one-time passwords and to steal credentials.[2]
Mobile T1437 .001 Application Layer Protocol: Web Protocols

GodFather has leveraged WebSockets for C2.[1]

Mobile T1429 Audio Capture

GodFather has requested for the RECORD_AUDIO permission to record audio with the microphone.[2]

Mobile T1616 Call Control

GodFather has requested for the CALL_PHONE permission to initiate phone calls.[2]
Mobile T1624 Event Triggered Execution

GodFather has executed when victims utilize their trusted banking apps, as the malware redirects the victim to using a malicious version of the banking app.[1]

Mobile T1646 Exfiltration Over C2 Channel

GodFather has exfiltrated sensitive information over C2.[1][2]

Mobile T1617 Hooking

GodFather has used the Xposed hooking framework to intercept HTTP requests and responses, capturing and exfiltrating sensitive information, such as credentials.[1]

Mobile T1629 Impair Defenses

GodFather has intercepted API returns from banking apps that detect malicious services, and modifies the methods to return back an empty list hiding the presence of the malware and other active services.[1]

.001 Prevent Application Removal

GodFather has abused the accessibility service to prevent the user from uninstalling itself.[2]
Mobile T1630 Indicator Removal on Host

GodFather has requested for the WRITE_EXTERNAL_STORAGE permission to delete files in the device’s external storage.[2]
Mobile T1544 Ingress Tool Transfer

GodFather has downloaded Google Play Store, Google Play services and Google Services Framework APK to a virtual folder.[1]

Mobile T1417 Input Capture

GodFather has the captured information about the device's screen to include detailed tap events.[1]
.001 Keylogging

GodFather has intercepted and recorded sensitive information from the application to include user credentials. GodFather has also leveraged a deceptive overlay that tricks users into submitting their device lock credentials which are captured.[1]

Mobile T1516 Input Injection

GodFather has abused the Accessibility Service to mimic victims’ actions and to redirect victims to its StubActivity when the victims attempt to use the original, legitimate banking application.[1]

Mobile T1655 .001 Masquerading: Match Legitimate Name or Location

GodFather has imitated Google Play Protect, a security application pre-installed on all Android devices, and its functionalities, such as scanning the device and requesting for the accessibility service.[2]
Mobile T1575 Native API

GodFather has hooked onto the getEnabledAccessibilityServiceList API to return an empty list of active services, which hides GodFather and other active services.[1]

Mobile T1406 Obfuscated Files or Information

GodFather has obfuscated its Android manifest file with irrelevant permissions and manifest strings.[1]
Mobile T1660 Phishing

GodFather has generated fake notifications to lure the victim to phishing pages.[2]

Mobile T1636 .003 Protected User Data: Contact List

GodFather has accessed the device’s contact list.[2]
.004 Protected User Data: SMS Messages

GodFather has requested for the Read_SMS permission to access SMS messages.[2]
Mobile T1603 Scheduled Task/Job

GodFather has utilized a timer to initiate a WebSocket connection.[1]

Mobile T1582 SMS Control

GodFather has requested for the SEND_SMS permission to send SMS messages.[2]
Mobile T1418 Software Discovery

GodFather has gathered a list of installed applications.[1][2]

Mobile T1426 System Information Discovery

GodFather has the ability to gain remote control of the victim device and to gather data associated with the device, including battery level, sound settings, and device brightness.[1] GodFather has also obtained the phone's state, including network information, phone number, and serial number.[2]

Mobile T1422 System Network Configuration Discovery

GodFather has accessed the device’s current cellular network information, including the phone number and the serial number.[2]
Mobile T1670 Virtualization Solution

GodFather has used virtualization to create a separate virtual environment that mimicked legitimate banking and cryptocurrency applications.[1]

References

  1. Ortega, F. Pratapagiri, V. (2025, June 18). Your Mobile App, Their Playground: The Dark Side of Virtualization. Retrieved July 16, 2025.
  1. Merkle Science. (2023, April 25). The Godfather Android Malware: Threat under the lens. Retrieved July 16, 2025.