What is GodFather malware (Android)

GodFather malware is a malicious app that affects Android users. The Android malware was first discovered in 2021, and after disappearing for a while, it has since remerged with an updated version. The primary goal of this malware is to steal online bank and crypto service credentials. To do this, it generates fake login pages once installed on an Android device. It employs other techniques to bypass security measures like two-factor authentication in order to gain access to users’ accounts. It appears to avoid targeting certain countries, as it shuts down if installed on a device where the default language is one of those spoken in certain former Soviet Union states. As Ukrainian is excluded from the list, it is speculated that the malware operators are Russian actors.

 

 

 

GodFather malware is essentially a banking trojan. Its main goal is to steal the login credentials of users’ banking and cryptocurrency accounts. The malware tends to primarily target European users, though it avoids certain countries. To be specific, the malware shuts down if the system language is set to Russian, Azerbaijani, Armenian, Belarusian, Kazakh, Kyrgyz, Moldovan, Uzbek, or Tajik. This is a strong implication that the malware operators are of Russian origin.

Users likely download the malware from third-party stores and questionable sources. GodFather malware was found to be disguised as an MYT app. When installed, the app has a very similar design and icon to the MYT Music app, which is available on the Google Play Store.

One of the reasons why GodFather malware is so dangerous is because of its ability to display convincing screen overlays. The malware can show these fake screens for over 400 apps. The way this works is when users open a banking app, for example, the malware displays a fake overlay screen that looks identical to the app. If users are successfully tricked and type in their login credentials on the fake screen, the credentials would be sent to the cybercriminals. The malware can show these fake screens for banking apps, cryptocurrency wallets, and crypto exchanges.

In order to bypass additional security (e.g. two-factor authentication), the malware tries to get certain permissions when installed. It poses as Google Protect, a tool found on all Android devices that scans all apps on a device for malware. Users see a screen that looks like the one shown by Google Protect, and it asks users for access to the Accessibility Service to supposedly initiate a scan. If users grant this permission, the GodFather malware can then give itself the necessary permissions. It can then access and steal sensitive data, such as SMS messages with codes. It would also be able to forward incoming calls, control the device screen, inject URLs, etc.

if you realize that this app is installed on your Android device, you will need to disable your Internet (both WiFi and mobile data) and perform a factory reset to delete GodFather malware.

How to avoid downloading malware

One of the best ways to avoid downloading malware onto your Android device is only download apps from the Google Play Store. Google has strict security measures that prevent, to some extent, malicious apps from being listed. However, some malware can bypass these security measures, which is why you should not blindly install an app even if you find it on Google Play Store. You should first look into the app, check who the developer is, read reviews, review requested permissions, etc. Always be skeptical of apps that ask for permissions unrelated to their activities. For example, if a flashlight app requests permission to access your contacts or read your SMS, you should immediately be suspicious.

Be very careful with unsolicited SMS messages and emails, particularly if they ask you to perform some kind of action (e.g. open an attachment or click on a link). Learn to recognize phishing and malicious messages/emails to avoid becoming a victim. If, for example, a message or an email asks you to click on the provided link to check your account, access the account manually instead of clicking on the link. And before logging in anywhere, inspect the site’s URL to check whether it’s correct. Phishing sites can look practically identical to legitimate ones but the URL will always give them away.

Do not blindly give apps permissions, even if an app is legitimate. Carefully read why the app requires the permissions it asks for to operate. If you don’t think the app needs the permissions, do not grant them. Again, there’s no reason why a simple utility app or a game would need access to your contacts, SMS, etc.

It may be a good idea to have an anti-virus app installed on your Android device. Many of the most popular anti-virus vendors offer Andoird versions as well, and they can protect devices from all kinds of malicious apps, including GodFather malware.

Overall, good online habits significantly decrease your chances of encountering malware. Users are strongly encouraged to take the time to develop better habits and keep an eye on some of the more serious malicious threats that could affect their devices.

How to remove GodFather malware (Android)

The best way to remove GodFather malware is to perform a factory reset. But the moment you realize that this malware is on your device, you need to remove your SIM card and disable WiFi. Once you have done that, perform a complete factory reset of your device.

If this malware is/was on your device, it’s likely that it was able to steal your login credentials. You need to immediately secure your accounts, particularly sensitive ones. Change passwords, codes, etc., enable two-factor authentication, etc. If your bank account was accessed and a transaction was made, immediately contact your bank to try and reverse the transaction(s).