GodFather - S1231 (bf064476-25b8-493c-a1e7-dd707b3f7f52)

GodFather is an Android banking malware that uses virtualization to mimic legitimate applications and abuses accessibility services and other permissions to evade detection and exfiltrate sensitive data. First identified in 2020, GodFather targets nearly 500 banking applications, cryptocurrency wallets, and exchanges worldwide; however, its virtualization-based attacks have primarily focused on several Turkish financial institutions. This capability enables threat actors to steal banking credentials and other sensitive account information. (Citation: ZimperiumOrtegaPratapagiri_GodFather_Jun2025)(Citation: MerkleScience_Godfather_April2023)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Audio Capture - T1429 (6683aa0c-d98a-4f5b-ac57-ca7e9934a760)	Attack Pattern	GodFather - S1231 (bf064476-25b8-493c-a1e7-dd707b3f7f52)	Malware	1
System Network Configuration Discovery - T1422 (d4536441-1bcc-49fa-80ae-a596ed3f7ffd)	Attack Pattern	GodFather - S1231 (bf064476-25b8-493c-a1e7-dd707b3f7f52)	Malware	1
SMS Control - T1582 (b327a9c0-e709-495c-aa6e-00b042136e2b)	Attack Pattern	GodFather - S1231 (bf064476-25b8-493c-a1e7-dd707b3f7f52)	Malware	1
Indicator Removal on Host - T1630 (0d4e3bbb-7af5-4c88-a215-0c0906bc1e8d)	Attack Pattern	GodFather - S1231 (bf064476-25b8-493c-a1e7-dd707b3f7f52)	Malware	1
Contact List - T1636.003 (e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86)	Attack Pattern	GodFather - S1231 (bf064476-25b8-493c-a1e7-dd707b3f7f52)	Malware	1
Impair Defenses - T1629 (20b0931a-8952-42ca-975f-775bad295f1a)	Attack Pattern	GodFather - S1231 (bf064476-25b8-493c-a1e7-dd707b3f7f52)	Malware	1
Exfiltration Over C2 Channel - T1646 (32063d7f-0a39-440d-a4a3-2694488f96cc)	Attack Pattern	GodFather - S1231 (bf064476-25b8-493c-a1e7-dd707b3f7f52)	Malware	1
GodFather - S1231 (bf064476-25b8-493c-a1e7-dd707b3f7f52)	Malware	Ingress Tool Transfer - T1544 (2bb20118-e6c0-41dc-a07c-283ea4dd0fb8)	Attack Pattern	1
Obfuscated Files or Information - T1406 (d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a)	Attack Pattern	GodFather - S1231 (bf064476-25b8-493c-a1e7-dd707b3f7f52)	Malware	1
SMS Messages - T1636.004 (c6421411-ae61-42bb-9098-73fddb315002)	Attack Pattern	GodFather - S1231 (bf064476-25b8-493c-a1e7-dd707b3f7f52)	Malware	1
Virtualization Solution - T1670 (8e097ec5-1755-41d6-807c-3882442b818a)	Attack Pattern	GodFather - S1231 (bf064476-25b8-493c-a1e7-dd707b3f7f52)	Malware	1
Input Capture - T1417 (a8c31121-852b-46bd-9ba4-674ae5afe7ad)	Attack Pattern	GodFather - S1231 (bf064476-25b8-493c-a1e7-dd707b3f7f52)	Malware	1
System Information Discovery - T1426 (e2ea7f6b-8d4f-49c3-819d-660530d12b77)	Attack Pattern	GodFather - S1231 (bf064476-25b8-493c-a1e7-dd707b3f7f52)	Malware	1
Event Triggered Execution - T1624 (d446b9f0-06a9-4a8d-97ee-298cfee84f14)	Attack Pattern	GodFather - S1231 (bf064476-25b8-493c-a1e7-dd707b3f7f52)	Malware	1
Software Discovery - T1418 (198ce408-1470-45ee-b47f-7056050d4fc2)	Attack Pattern	GodFather - S1231 (bf064476-25b8-493c-a1e7-dd707b3f7f52)	Malware	1
Scheduled Task/Job - T1603 (00290ac5-551e-44aa-bbd8-c4b913488a6d)	Attack Pattern	GodFather - S1231 (bf064476-25b8-493c-a1e7-dd707b3f7f52)	Malware	1
Input Injection - T1516 (d1f1337e-aea7-454c-86bd-482a98ffaf62)	Attack Pattern	GodFather - S1231 (bf064476-25b8-493c-a1e7-dd707b3f7f52)	Malware	1
Phishing - T1660 (defc1257-4db1-4fb3-8ef5-bb77f63146df)	Attack Pattern	GodFather - S1231 (bf064476-25b8-493c-a1e7-dd707b3f7f52)	Malware	1
Prevent Application Removal - T1629.001 (dc01774a-d1c1-45fb-b506-0a5d1d6593d9)	Attack Pattern	GodFather - S1231 (bf064476-25b8-493c-a1e7-dd707b3f7f52)	Malware	1
Match Legitimate Name or Location - T1655.001 (114fed8b-7eed-4136-8b9c-411c5c7fff4b)	Attack Pattern	GodFather - S1231 (bf064476-25b8-493c-a1e7-dd707b3f7f52)	Malware	1
Keylogging - T1417.001 (b1c95426-2550-4621-8028-ceebf28b3a47)	Attack Pattern	GodFather - S1231 (bf064476-25b8-493c-a1e7-dd707b3f7f52)	Malware	1
Call Control - T1616 (351ddf79-2d3a-41b4-9bef-82ea5d3ccd69)	Attack Pattern	GodFather - S1231 (bf064476-25b8-493c-a1e7-dd707b3f7f52)	Malware	1
GodFather - S1231 (bf064476-25b8-493c-a1e7-dd707b3f7f52)	Malware	Native API - T1575 (52eff1c7-dd30-4121-b762-24ae6fa61bbb)	Attack Pattern	1
Abuse Accessibility Features - T1453 (2204c371-6100-4ae0-82f3-25c07c29772a)	Attack Pattern	GodFather - S1231 (bf064476-25b8-493c-a1e7-dd707b3f7f52)	Malware	1
Hooking - T1617 (ccde43e4-78f9-4f32-b401-c081e7db71ea)	Attack Pattern	GodFather - S1231 (bf064476-25b8-493c-a1e7-dd707b3f7f52)	Malware	1
Web Protocols - T1437.001 (2282a98b-5049-4f61-9381-55baca7c1add)	Attack Pattern	GodFather - S1231 (bf064476-25b8-493c-a1e7-dd707b3f7f52)	Malware	1
Contact List - T1636.003 (e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86)	Attack Pattern	Protected User Data - T1636 (11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e)	Attack Pattern	2
SMS Messages - T1636.004 (c6421411-ae61-42bb-9098-73fddb315002)	Attack Pattern	Protected User Data - T1636 (11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e)	Attack Pattern	2
Prevent Application Removal - T1629.001 (dc01774a-d1c1-45fb-b506-0a5d1d6593d9)	Attack Pattern	Impair Defenses - T1629 (20b0931a-8952-42ca-975f-775bad295f1a)	Attack Pattern	2
Match Legitimate Name or Location - T1655.001 (114fed8b-7eed-4136-8b9c-411c5c7fff4b)	Attack Pattern	Masquerading - T1655 (f856eaab-e84a-4265-a8a2-7bf37e5dc2fc)	Attack Pattern	2
Input Capture - T1417 (a8c31121-852b-46bd-9ba4-674ae5afe7ad)	Attack Pattern	Keylogging - T1417.001 (b1c95426-2550-4621-8028-ceebf28b3a47)	Attack Pattern	2
Application Layer Protocol - T1437 (6a3f6490-9c44-40de-b059-e5940f246673)	Attack Pattern	Web Protocols - T1437.001 (2282a98b-5049-4f61-9381-55baca7c1add)	Attack Pattern	2