Godfather malware is draining banking and crypto accounts — what you need to know

News
By published

This Android malware uses fake login screens to drain your accounts

smartphone malware
(Image credit: Shutterstock)

Android users in 16 countries around the world are currently being targeted by a banking malware named ‘Godfather’ which is capable of stealing account credentials from more than 400 different banking and crypto apps.

First discovered by ThreatFabric back in March of last year, the Godfather trojan has been significantly updated and improved since then according to a new report from the cybersecurity firm Group-IB.

Likewise, the dark web and cybercrime monitoring firm Cyble has released a separate report detailing how Godfather is also being spread in Turkey through a malicious app that has been downloaded 10 million times which impersonates a popular music tool.

As BleepingComputer points out, Godfather is believed to be the successor to Anubis which was another popular and widely-used banking trojan before it lost the ability to bypass newer Android defenses.

Targeting banking and crypto apps

Since it first appeared last year, Godfather has targeted users of more than 400 applications including 215 banking apps, 94 crypto wallets and 110 crypto exchange platforms. 

The banking apps targeted by the malware are found in various countries around the world with 49 in the U.S., 31 in Turkey, 30 in Spain, 22 in Canada, 20 in France, 19 in Germany and 17 in the UK.

Surprisingly, Group-IB found a line in Godfather’s code that prevents the malware from targeting users in Russia as well as users from former Soviet Union countries which suggests its creators speak Russian. Once installed on an Android phone, the malware checks to see if the system language is Russian, Azerbaijani, Armenian, Belarusian, Kazakh, Kyrgyz, Moldovan, Uzbek, or Tajik. If it is, Godfather shuts down and doesn’t try to steal any banking or crypto accounts stored on the device.

Using fake overlays to steal your financial accounts

A person trying to login into their bank account using their phone

(Image credit: Shutterstock)

Once installed on a user’s Android phone through a malicious app or file, Godfather tries to achieve persistence on the device by imitating Google Protect. This legitimate program runs once you download an app from the Google Play Store.

Godfather then tells a user that it is “scanning” when in reality, the malware creates a pinned “Google Project” notification and hides its icon from the list of installed apps. This makes it easier for the malware to hide in the background and harder to delete.

Since Godfather’s icon is nowhere to be found, a targeted user goes about their daily business. However, the malware then uses fake overlays of popular banking and crypto apps to steal their credentials and drain their accounts.  Godfather also uses a clever trick to send users to phishing pages. It does this by displaying a decoy notification that spoofs banking or crypto apps installed on their smartphone.

Besides stealing credentials, Godfather can also record a user’s screen, launch keyloggers to capture their keystrokes, forward calls to bypass two-factor authentication (2FA) and send SMS messages from infected devices.

How to protect yourself from Android malware

A hand holding a phone securely logging in

(Image credit: Google)

To protect yourself from Godfather and other Android malware, you should only install new apps from Google Play Store or other official app stores like the Amazon App Store or Samsung Galaxy Store. While sideloading apps may be tempting, they can contain malware and other viruses since they don’t go through any security checks before being uploaded.

You should also make sure that Google Play Protect is enabled on your device as it scans new apps as well as your existing apps for malware. For additional protection though, you may also want to install one of the best Android antivirus apps as well.

In an email to Tom's Guide, a Google spokesperson provided further details on how Google Play Protect helps keep you safe from harmful apps including sideloaded ones, saying:

“Google Play Protect checks Android devices with Google Play Services for potentially harmful apps from other sources. Users are protected by Google Play Protect, which blocks these identified malicious apps on Android devices.”

Before installing any new app, you should first ask yourself if you really need it. By limiting the number of apps installed on your Android smartphone, you can lower the chances of having your device infected with malware.

Godfather is already being used in countries around the world and cybercriminals will likely continue to deploy this malware in their campaigns due to the way in which it can bypass Android security checks and the large number of banking and crypto apps it targets.

See more Computing News
Anthony Spadafora
Anthony Spadafora
Managing Editor Security and Home Office

Anthony Spadafora is the managing editor for security and home office furniture at Tom’s Guide where he covers everything from data breaches to password managers and the best way to cover your whole home or business with Wi-Fi. He also reviews standing desks, office chairs and other home office accessories with a penchant for building desk setups. Before joining the team, Anthony wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home. 

Read more
Green skull on smartphone screen.
This Android banking trojan steals passwords to take over your accounts — and all it takes is a single text message
Green skull on smartphone screen.
Malicious Android apps with 60 million installs bombarding phones with ads and phishing attacks — how to stay safe
A smartphone screen displaying the Android name and logo next to a sign reading 'MALWARE'.
Fake Google Play Store pages are spreading Trojan malware that can steal your financial data
One phone with skull and crossbones on screen among several other clean-looking phones.
Malicious iPhone apps are spreading screenshot-reading malware on the Apple App Store — how to stay safe
A hacker typing quickly on a keyboard
Hackers are posing as Apple and Google to infect Macs with malware — don’t fall for these fake browser updates
A hacker typing on a computer
FBI issues serious warning to iPhone and Android users — stop doing this ASAP
Latest in Malware & Adware
Green skull on smartphone screen.
Malicious Android apps with 60 million installs bombarding phones with ads and phishing attacks — how to stay safe
Malware
Dangerous new password-stealing trojan automatically reinstalls itself on infected PCs
An FBI agent typing on a computer
FBI issues warning to millions of Americans to avoid these websites that can steal your passwords and banking info
A hacker typing quickly on a keyboard
New MassJacker malware is hijacking digital wallets to steal large sums from users
A person trying to set up a new Wi-Fi router
Thousands of TP-Link routers have been infected by a botnet to spread malware
A smartphone screen displaying the Android name and logo next to a sign reading 'MALWARE'.
Fake Google Play Store pages are spreading Trojan malware that can steal your financial data
Latest in News
Apple Watch Series 10
Future Apple Watch models could get a surprising new feature — what we know
NYTimes Connections
NYT Connections today hints and answers — Monday, March 24 (#652)
NYT Strands on a cellphone
NYT Strands today — hints, spangram and answers for game #386 (Monday, March 24 2025)
iPhone 16 Pro vs iPhone 16 Pro Max in hand showing displays
Forget iPhone 17 — iPhone 18 could get this huge upgrade
The new Husqvarna iQ series robot lawn mower.
Husqvarna’s new robot mowers offer GPS for less
Rendered images of rumored foldable iPhone.
Foldable iPhone report just revealed key details — here's what we know
More about malware and adware
Green skull on smartphone screen.

Malicious Android apps with 60 million installs bombarding phones with ads and phishing attacks — how to stay safe
Malware

Dangerous new password-stealing trojan automatically reinstalls itself on infected PCs
Parker Posey in Party Girl

We’re in the midst of a Parker Posey renaissance — which means you should watch this cult classic on Hulu
See more latest
Most Popular
Parker Posey in Party Girl
We’re in the midst of a Parker Posey renaissance — which means you should watch this cult classic on Hulu
Garrett (Sebastian De Souza) and Alex (Sofia Carson) (L-R) holding hands in Netflix's "The Life List"
I watch Netflix for a living — these are the 5 new shows and movies to stream this week (March 24-30)
Bosch: Legacy; Survival of the Thickest; The Studio
7 top new TV shows to stream this week on Netflix, Apple TV and more (March 24-30)
NYTimes Connections
NYT Connections today hints and answers — Monday, March 24 (#652)
NYT Strands on a cellphone
NYT Strands today — hints, spangram and answers for game #386 (Monday, March 24 2025)
Apple Watch Series 10
Future Apple Watch models could get a surprising new feature — what we know
The new Husqvarna iQ series robot lawn mower.
Husqvarna’s new robot mowers offer GPS for less
best Netflix series Community
7 best shows about college you can stream now
iPhone 16 Pro vs iPhone 16 Pro Max in hand showing displays
Forget iPhone 17 — iPhone 18 could get this huge upgrade
Bernie
I’m a big fan of this offbeat comedy thriller starring Jack Black — and you can stream it free on YouTube right now