Blog

Recently, security researchers have identified an evolution to the ‘GodFather’ malware which targets banking and cryptocurrency applications.

What is GodFather Malware?

GodFather is a type of malicious software that infects Android devices. It tricks users into entering sensitive information, such as banking credentials or crypto wallet logins, by displaying fake login screens that look identical to real applications.

The GodFather malware was first identified in 2022 with widespread activity continuing into the present day.

How does GodFather work?

1. Infection Begins with a Fake App
   GodFather malware often hides inside apps that seem useful or familiar, such as a music streaming app, currency converter, or even a fake version of a popular banking app. These apps may be found on third-party websites, alternative app stores, or through links in phishing messages. These apps may look legitimate, but they carry hidden malicious code.
2. It Requests Permissions
   After installation, the fake app might ask to enable Accessibility Services or Notification Access, claiming it's needed for the app to work properly. In reality, these permissions allow the malware to watch everything performed and control the screen without the user’s knowledge.
3. The Malware Lies in Wait
   Once installed and granted access, GodFather sits quietly in the background. It monitors what apps are opened and waits for the user to launch a specific targeted app.
4. It Triggers a Fake Login Screen (Overlay Attack)
   As soon as the user opens a targeted app, the malware immediately displays a fake login screen that mimics the one the user is expecting. The user thinks they are logging into their bank or wallet but are entering credentials into the malware’s trap.
5. It Steals Credentials and Security Codes
   Whatever is typed into the fake screen is sent to the attackers.
   If a 2FA code is sent via SMS, the malware reads the code (due to its notification access) and can send that to attackers also.
6. It Sends the Data to a Command Server
   The malware communicates with a command-and-control (C2) server, which receives the stolen information and can send back instructions, such as to log into an account, transfer money, or disable more security settings.
7. It May Disable Protections
   In some versions, GodFather can disable Google Play Protect (which scans for harmful apps) or hide its icon to stay invisible on your phone.

How can individuals protect themselves from this type of malware?

1. Only install applications from the official Google Play Store. Avoid third-party websites or unofficial app stores.
2. Be careful with application permissions. Never grant Accessibility Services or SMS access to applications unless you’re certain they are trustworthy.
3. Enable Google Play Protect. This can scan your devices regularly for harmful applications. It can be found under ‘security’ in device settings.
4. Don’t enter sensitive information into pop-ups. If an app suddenly asks you to log in again and it seems unusual, close it and restart the app from your home screen.
5. Keep your device updated. Regular software updates include important security patches.
6. Use app-based authentication (like Google Authenticator) instead of SMS when possible, as SMS codes can be intercepted.
7. Watch for strange behavior. Unfamiliar apps, battery drain, or screen overlays can be a sign of infection.