Godfather malware is draining banking and crypto accounts — what you need to know

smartphone malware
(Image credit: Shutterstock)

Android users in 16 countries around the world are currently being targeted by a banking malware named ‘Godfather’ which is capable of stealing account credentials from more than 400 different banking and crypto apps.

First discovered by ThreatFabric back in March of last year, the Godfather trojan has been significantly updated and improved since then according to a new report from the cybersecurity firm Group-IB.

Likewise, the dark web and cybercrime monitoring firm Cyble has released a separate report detailing how Godfather is also being spread in Turkey through a malicious app that has been downloaded 10 million times which impersonates a popular music tool.

As BleepingComputer points out, Godfather is believed to be the successor to Anubis which was another popular and widely-used banking trojan before it lost the ability to bypass newer Android defenses.

Targeting banking and crypto apps

Since it first appeared last year, Godfather has targeted users of more than 400 applications including 215 banking apps, 94 crypto wallets and 110 crypto exchange platforms. 

The banking apps targeted by the malware are found in various countries around the world with 49 in the U.S., 31 in Turkey, 30 in Spain, 22 in Canada, 20 in France, 19 in Germany and 17 in the UK.

Surprisingly, Group-IB found a line in Godfather’s code that prevents the malware from targeting users in Russia as well as users from former Soviet Union countries which suggests its creators speak Russian. Once installed on an Android phone, the malware checks to see if the system language is Russian, Azerbaijani, Armenian, Belarusian, Kazakh, Kyrgyz, Moldovan, Uzbek, or Tajik. If it is, Godfather shuts down and doesn’t try to steal any banking or crypto accounts stored on the device.

Using fake overlays to steal your financial accounts

A person trying to login into their bank account using their phone

(Image credit: Shutterstock)

Once installed on a user’s Android phone through a malicious app or file, Godfather tries to achieve persistence on the device by imitating Google Protect. This legitimate program runs once you download an app from the Google Play Store.

Godfather then tells a user that it is “scanning” when in reality, the malware creates a pinned “Google Project” notification and hides its icon from the list of installed apps. This makes it easier for the malware to hide in the background and harder to delete.

Since Godfather’s icon is nowhere to be found, a targeted user goes about their daily business. However, the malware then uses fake overlays of popular banking and crypto apps to steal their credentials and drain their accounts.  Godfather also uses a clever trick to send users to phishing pages. It does this by displaying a decoy notification that spoofs banking or crypto apps installed on their smartphone.

Besides stealing credentials, Godfather can also record a user’s screen, launch keyloggers to capture their keystrokes, forward calls to bypass two-factor authentication (2FA) and send SMS messages from infected devices.

How to protect yourself from Android malware

A hand holding a phone securely logging in

(Image credit: Google)

To protect yourself from Godfather and other Android malware, you should only install new apps from Google Play Store or other official app stores like the Amazon App Store or Samsung Galaxy Store. While sideloading apps may be tempting, they can contain malware and other viruses since they don’t go through any security checks before being uploaded.

You should also make sure that Google Play Protect is enabled on your device as it scans new apps as well as your existing apps for malware. For additional protection though, you may also want to install one of the best Android antivirus apps as well.

In an email to Tom's Guide, a Google spokesperson provided further details on how Google Play Protect helps keep you safe from harmful apps including sideloaded ones, saying:

“Google Play Protect checks Android devices with Google Play Services for potentially harmful apps from other sources. Users are protected by Google Play Protect, which blocks these identified malicious apps on Android devices.”

Before installing any new app, you should first ask yourself if you really need it. By limiting the number of apps installed on your Android smartphone, you can lower the chances of having your device infected with malware.

Godfather is already being used in countries around the world and cybercriminals will likely continue to deploy this malware in their campaigns due to the way in which it can bypass Android security checks and the large number of banking and crypto apps it targets.

Anthony Spadafora
Senior Editor Security and Networking

Anthony Spadafora is the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to password managers and the best way to cover your whole home or business with Wi-Fi. Before joining the team, he wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home.