man sitting in leather chair against dark background

Godfather Android banking malware is on the rise

Researchers at Cyble Research & Intelligence Labs (CRIL) have found a new version of the Android banking Trojan called Godfather.

The new version of Godfather uses an icon and name similar to a legitimate application named MYT Music, which is hosted on the Google Play Store with over 10 million downloads.


Group-IB researchers established that Godfather is a successor of Anubis. Anubis was a widely used Android banking Trojan that lost popularity after its functionality got limited by Android updates and security vendors’ detection and prevention efforts.

Godfather’s success is mostly due to its ability to create convincing lay-over screens for over 400 applications. This use of lay-over screens or web fakes, are basically HTML pages created by threat actors that display over legitimate applications. This allows the threat actors to harvest login credentials for banking applications and other financial services. The target apps include banking applications, cryptocurrency wallets, and crypto exchanges.

The most popular target apps for the banking Trojan are in the United States (49 companies), Turkey (31), Spain (30), Canada (22), France (20), Germany (19), and the United Kingdom (17). The Trojan checks the system language of the infected device and shuts down if it is one of these: Russian, Azerbaijani, Armenian, Belarusian, Kazakh, Kyrgyz, Moldovan, Uzbek, or Tajik.


Several of the new Godfather samples were found masquerading as the MYT Müzik application which is written in the Turkish language. After installing it uses an icon and the name that are very similar to a legitimate application named MYT Music. MYT Music is a popular app with over 10 million installs.

Getting permissions

To get the necessary permissions, the Trojan poses as Google Protect, which is a standard security tool found on all Android devices. It pretends to initiate a scan and asks the user for access to the Accessibility Service. Which makes sense to the user given that they think the app will scan the device. With access to the Accessibility Service, the Trojan can grant itself all the permissions it needs to steal information from the affected device.


Once fully active, Godfather steals sensitive data such as SMS messages, basic device details including installed apps data, and the device’s phone number. It can also control the device screen, forward incoming calls of the victim’s device, and inject banking URLs. The Trojan is capable of initiating money transfers by making USSD (Unstructured Supplementary Service Data) calls without using the dialer user interface

It sends the harvested data to the attacker. Who, in turn, now know which apps are installed and can inject HTML phishing pages that are most effective if the victim has the imitated app installed. The Command & Control (C2) server’s URL is fetched from a Telegram channel.


For the variant posing as the MYT Muzik app CRIL provided:

APK Metadata Information

  • App Name: MYT Müzik
  • Package Name: com.expressvpn.vpn
  • SHA256 Hash: 138551cd967622832f8a816ea1697a5d08ee66c379d32d8a6bd7fca9fdeaecc4

Malwarebytes for Android detects these new variants of the Godfather Trojan as Android/Trojan.Spy.Banker.MYT.

How to avoid malware

There are a few basic guidelines that can help you prevent installing malware on your device.

  • Download and install software only from official app stores like Google Play Store or the iOS App Store. And check whether the app you are downloading is exactly the one you wanted and not some imitator.
  • Use a reputed anti-virus/anti-malware and internet security software package on your connected devices, such as PCs, laptops, and mobile devices.
  • Use strong passwords and enforce multi-factor authentication (MFA) wherever possible.
  • Enable biometric security features such as fingerprint or facial recognition for unlocking the mobile device if possible.
  • Be very careful before opening any links received via SMS or emails delivered to your phone.
  • Ensure that Google Play Protect is enabled on Android devices.
  • Be careful while enabling any permissions. Reading carefully what you are allowing an app to do helps you flag unusual and suspicious requests.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.


Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.