GodFather¶
GodFather is the modern successor to Anubis, built on its leaked source code but substantially rewritten for current Android versions. First detected by Group-IB in June 2021 and publicly disclosed by ThreatFabric in March 2022, GodFather targets 400+ financial applications across 16 countries using dynamically generated overlay WebViews. Its operators retrieve C2 addresses from encrypted Telegram channel descriptions, a technique that provides resilient infrastructure with minimal effort. The malware explicitly avoids post-Soviet country devices, strongly indicating Russian-speaking development.
Overview¶
| Property | Value |
|---|---|
| First Seen | June 2021 (Group-IB detection); publicly documented March 2022 |
| Last Seen / Status | Active, ongoing development with v2 native code migration |
| Type | Banking trojan, infostealer |
| Attribution | Russian-speaking operators (inferred from language-based kill switch) |
| Aliases | None widely established |
Origin and Lineage¶
GodFather's codebase derives directly from Anubis, whose source code was leaked in January 2019. The developers took the Anubis code as a foundation and modernized it to work on newer Android versions, where many of Anubis's original techniques (particularly overlay injection via SYSTEM_ALERT_WINDOW) had been restricted by Google.
Group-IB's detailed analysis confirmed the Anubis lineage through code structure comparison, but noted that the GodFather developers rewrote substantial portions: the overlay delivery mechanism, C2 communication protocol, and evasion techniques are all new. This is not a simple Anubis fork with cosmetic changes but a ground-up rebuild using Anubis as scaffolding.
GodFather sits within the broader ecosystem of Anubis-derived malware. Where Ginp selectively borrowed Anubis components, GodFather represents a more comprehensive modernization effort.
Distribution¶
Google Play droppers: Group-IB identified GodFather distributed through decoy applications hosted on Google Play. These apps mimic legitimate utilities and pass initial screening before downloading the banking payload.
Fake app impersonation: Cyble discovered GodFather samples masquerading as the MYT Muzik app, a popular Turkish music streaming application. The fake app was visually identical to the legitimate version, targeting Turkish users specifically.
Third-party stores and phishing: Distribution also occurs through third-party app stores, phishing pages, and SMS lures directing victims to malicious download sites.
The malware's language-based kill switch (see Target Regions below) means distribution campaigns are geographically selective, avoiding markets where the malware would self-terminate.
Capabilities¶
Core Feature Set¶
| Capability | Implementation |
|---|---|
| Dynamic overlay injection | Fetches overlay WebView HTML from C2, generates phishing screens matching targeted apps |
| Keylogging | Accessibility Service captures all text input events |
| Screen recording | Records device screen via MediaProjection or Accessibility |
| Screenshot capture | Takes screenshots on demand or triggered by targeted app launch |
| SMS interception | Reads and hides incoming SMS for OTP/2FA theft |
| Call log harvesting | Exfiltrates call history |
| Contact exfiltration | Steals device contact list |
| Notification interception | Reads notification content, including push-based 2FA codes |
| Device Admin abuse | Requests admin privileges to prevent uninstallation |
| Google Play Protect bypass | Disables Play Protect via Accessibility navigation |
| Proxy/VNC | Remote device interaction through accessibility-based commands |
| USSD execution | Executes USSD codes on the device |
| Call forwarding | Forwards incoming calls to attacker-controlled numbers |
Version Evolution¶
| Version | Period | Key Changes |
|---|---|---|
| v1 | 2021-2023 | Anubis-derived Java codebase, Telegram-based C2 resolution, Blowfish encryption, overlay injection targeting 400+ apps |
| v2 | 2024+ | Migration to native code, reduced permission footprint, heavier reliance on Accessibility Service, expanded to 500+ targeted apps, new geographic targets (Japan, Greece, Singapore, Azerbaijan) |
| v3 | 2025 | On-device virtualization: creates isolated virtual environment, installs real banking apps inside it, intercepts all interactions at runtime. Hooks OkHttp build() to inject network interceptor. Turkish bank focus. ZIP manipulation + manifest obfuscation + $JADXBLOCK fields to defeat static analysis. |
Technical Details¶
C2 Resolution via Telegram¶
GodFather's most distinctive technical feature is its C2 address retrieval mechanism:
- The malware contains a hardcoded link to an attacker-controlled Telegram channel
- It fetches the channel description via HTTP request
- The description contains a Base64-encoded, Blowfish-encrypted string
- The malware decrypts the string using Blowfish in ECB mode with the hardcoded key
ABC - The decrypted result is the active C2 URL
This approach provides the operators with trivially updatable C2 infrastructure: changing the active server requires only editing a Telegram channel description. Group-IB documented this mechanism in detail, and independent technical analysis confirmed the Blowfish ECB implementation.
C2 Communication Encryption¶
After resolving the C2 address, ongoing bot-to-server communication uses AES/CBC/NoPadding with:
- IV:
fedcba9876543210 - Key:
0123456789abcdef
These values are hardcoded in the malware. The use of static, predictable encryption parameters suggests the operators prioritize operational simplicity over cryptographic strength, relying instead on the Telegram-based C2 resolution layer for infrastructure resilience.
Overlay Injection Mechanism¶
GodFather generates overlay screens dynamically rather than bundling static HTML:
- The bot sends the C2 a list of installed applications
- The C2 returns a target list with corresponding overlay URLs
- When a targeted app enters the foreground (detected via Accessibility events), the malware loads the overlay URL in a WebView positioned over the legitimate app
- Credentials entered into the WebView are captured and sent to the C2
The C2-hosted overlay approach means operators can update, add, or modify phishing screens without pushing a new APK to infected devices.
Language-Based Kill Switch¶
On first execution, GodFather checks the device's configured language. If the device language matches any of the following, the malware terminates and does not execute:
- Russian
- Azerbaijani
- Armenian
- Belarusian
- Kazakh
- Kyrgyz
- Moldovan
- Tajik
- Uzbek
This post-Soviet language exclusion is a strong indicator of Russian-speaking developers protecting their local operating environment, a pattern shared with Cerberus, Hook, and other MaaS families.
v2 Native Code Migration¶
Cyble's analysis of GodFather v2 documents a significant architectural shift: core malicious logic has been moved from Java/Kotlin to native code (C/C++ via JNI). The native functions implement:
- Injection URL loading into WebView
- Automated gesture execution
- C2 connection establishment
- Keylogging
This migration makes static analysis substantially harder, as native code is not decompilable to readable Java. The v2 variant also operates with fewer declared permissions, shifting more functionality to Accessibility Service abuse.
Target Regions and Financial Institutions¶
GodFather's targeting is broad but weighted toward specific regions:
| Region | Details |
|---|---|
| Turkey | Primary target; fake MYT Muzik app, Turkish banking overlay templates |
| United States | Major US banks and crypto exchanges |
| United Kingdom | UK banking apps |
| Spain | Spanish banks and financial services |
| Italy | Italian banking apps |
| Canada | Canadian financial institutions |
| Germany | BaFin issued a public warning about GodFather targeting German banking users |
| France | French banking apps |
| Japan | Added in v2 expansion |
| Singapore | Added in v2 expansion |
| Greece | Added in v2 expansion |
| Azerbaijan | Added in v2 expansion |
The target list encompasses:
- 215+ banking applications
- 94 cryptocurrency wallet providers
- 110+ cryptocurrency exchange platforms
Cyble's v2 analysis documented expansion to 500+ targeted applications with new geographic reach.
Excluded regions: All post-Soviet language countries (Russia, Belarus, Kazakhstan, Uzbekistan, Armenia, Azerbaijan, Kyrgyzstan, Tajikistan, Moldova).
Notable Campaigns¶
June 2021, initial detection: Group-IB first detected GodFather samples in the wild. At this stage the malware was in early development, with a smaller target list and less sophisticated evasion.
March 2022, ThreatFabric disclosure: ThreatFabric publicly documented GodFather as part of their broader analysis of the Android banking trojan surge fueled by the Anubis and Cerberus source code leaks. They confirmed the Anubis code lineage and noted the modernized overlay mechanism.
October 2022, MYT Muzik campaign (Turkey): Cyble identified GodFather samples impersonating the popular Turkish music app MYT Muzik. The campaign specifically targeted Turkish banking users with localized overlay templates.
December 2022, Group-IB full report: Group-IB published their comprehensive analysis covering 400+ targeted apps across 16 countries. The report detailed the Telegram-based C2 mechanism, Blowfish encryption, and post-Soviet language exclusion. Germany's BaFin financial regulator issued a public advisory in response.
2023, EclecticIQ European expansion analysis: EclecticIQ documented GodFather's expansion into additional European markets, with updated overlay templates targeting banks not present in earlier campaigns.
2024, Cyble v2 analysis (500+ targets): Cyble analyzed the second major version of GodFather, documenting the native code migration, reduced permission footprint, expanded target list of 500+ apps, and new geographic coverage including Japan, Singapore, Greece, and Azerbaijan.
2024, Cyble follow-up on evolved capabilities: Cyble published additional analysis covering new automated commands for device interface navigation, gesture execution on target apps, screen brightness manipulation, and notification settings control.
July 2025, virtualization-based v3: Zimperium zLabs uncovered a major evolution: GodFather v3 creates an on-device virtual environment, installs the legitimate banking or crypto app inside it, and intercepts all user interactions at runtime. Instead of overlay phishing, the victim interacts with the real banking app running in a controlled sandbox. The malware hooks OkHttp's build() method to inject a custom interceptor that logs all network requests, capturing credentials and transaction data from the real app's traffic. This represents a fundamental shift from the overlay injection model used since GM Bot's 2014 invention to a virtualization-based interception approach. Targets 500+ banking and crypto apps, currently focused on Turkish banks.