top of page

The Godfather of Android malware

Godfather is a banking trojan targeting Android devices identified again through a surge of recent activity. Assessed as the successor to Anubis, a well-established and capable strain of malware, Godfather has been able to target over 200 banking applications, 17 of which are from within the UK.

Whilst Godfather is targeting banking applications, it is similar to other banking trojans and couples this activity with the targeting of cryptocurrency exchange platforms and cryptocurrency wallets, demonstrating that the threat actors behind the malware have a clear motive for financial gain.

The malware was originally identified in March of this year before dropping off the radar, likely due to not being able to overcome the subsequent security updates that protected devices against the threat.

However, Godfather has now come back with a vengeance by significantly changing their source code, launching campaigns across at least 16 countries, including the UK and boasting over ten million downloads in Turkey alone.

The identified campaigns partnered with analysis of the source code, which shows the malware shutting down if a Cyrillic language is in use on the victim device, leads researchers to believe that this is a Russian-speaking threat actor targeting western nations, largely within Europe.

Whilst Godfather will seek to infect devices by mimicking popular applications on the Google Play store - typically antivirus scanners - this is not determined to be the main infection vector, which is still unknown at the time of writing.

Once infected, a user’s device will be susceptible to an array of attacks including automatic SMS being sent, banking credential theft and display notifications which, when clicked on, direct the user to a phishing page where further credentials can be stolen.

Most worryingly about Godfather, is the determination of threat actors to circumvent the security procedures in place.

This is first demonstrated through the large code rework to bypass Android detections then the malwares’ ability to mimic Google’s “Google protect”; a feature on all Android devices that scans for harmful applications before they are downloaded.

By mimicking this feature, the threat actors give the user confidence that when inadvertently downloading an infected application, possibly from a source other than the Play store, that it is in fact safe to use.

A rise in mobile malware has been frequently reported upon, and organisations are encouraged to remain vigilant in the face of this threat by minimising the applications downloaded onto work devices.

Furthermore, organisations are encouraged to help educate colleagues outside of the cyber security world that may be more vulnerable to this attack vector. By protecting personal devices, the organisation can benefit from a stronger defensive posture.

Applications should only be downloaded from the official Google Play store, provided by default upon purchasing the device and users should be wary of any prompts for credentials outside of the normal, expected prompts.



Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).



The contents of blog posts on this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of East Midlands Cyber Resilience Centre (EMCRC) is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. EMCRC provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us by email.


EMCRC does not accept any responsibility for any loss which may arise from reliance on information or materials published on this blog. EMCRC is not responsible for the content of external internet sites that link to this site or which are linked from it.

bottom of page