GodFather - S1231 (bf064476-25b8-493c-a1e7-dd707b3f7f52)

GodFather is an Android banking malware that uses virtualization to mimic legitimate applications and abuses accessibility services and other permissions to evade detection and exfiltrate sensitive data. First identified in 2020, GodFather targets nearly 500 banking applications, cryptocurrency wallets, and exchanges worldwide; however, its virtualization-based attacks have primarily focused on several Turkish financial institutions. This capability enables threat actors to steal banking credentials and other sensitive account information. (Citation: ZimperiumOrtegaPratapagiri_GodFather_Jun2025)(Citation: MerkleScience_Godfather_April2023)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
GodFather - S1231 (bf064476-25b8-493c-a1e7-dd707b3f7f52)	Malware	Audio Capture - T1429 (6683aa0c-d98a-4f5b-ac57-ca7e9934a760)	Attack Pattern	1
GodFather - S1231 (bf064476-25b8-493c-a1e7-dd707b3f7f52)	Malware	System Network Configuration Discovery - T1422 (d4536441-1bcc-49fa-80ae-a596ed3f7ffd)	Attack Pattern	1
GodFather - S1231 (bf064476-25b8-493c-a1e7-dd707b3f7f52)	Malware	Indicator Removal on Host - T1630 (0d4e3bbb-7af5-4c88-a215-0c0906bc1e8d)	Attack Pattern	1
GodFather - S1231 (bf064476-25b8-493c-a1e7-dd707b3f7f52)	Malware	SMS Control - T1582 (b327a9c0-e709-495c-aa6e-00b042136e2b)	Attack Pattern	1
GodFather - S1231 (bf064476-25b8-493c-a1e7-dd707b3f7f52)	Malware	Contact List - T1636.003 (e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86)	Attack Pattern	1
GodFather - S1231 (bf064476-25b8-493c-a1e7-dd707b3f7f52)	Malware	Impair Defenses - T1629 (20b0931a-8952-42ca-975f-775bad295f1a)	Attack Pattern	1
GodFather - S1231 (bf064476-25b8-493c-a1e7-dd707b3f7f52)	Malware	Exfiltration Over C2 Channel - T1646 (32063d7f-0a39-440d-a4a3-2694488f96cc)	Attack Pattern	1
GodFather - S1231 (bf064476-25b8-493c-a1e7-dd707b3f7f52)	Malware	Obfuscated Files or Information - T1406 (d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a)	Attack Pattern	1
GodFather - S1231 (bf064476-25b8-493c-a1e7-dd707b3f7f52)	Malware	Ingress Tool Transfer - T1544 (2bb20118-e6c0-41dc-a07c-283ea4dd0fb8)	Attack Pattern	1
GodFather - S1231 (bf064476-25b8-493c-a1e7-dd707b3f7f52)	Malware	SMS Messages - T1636.004 (c6421411-ae61-42bb-9098-73fddb315002)	Attack Pattern	1
GodFather - S1231 (bf064476-25b8-493c-a1e7-dd707b3f7f52)	Malware	Virtualization Solution - T1670 (8e097ec5-1755-41d6-807c-3882442b818a)	Attack Pattern	1
GodFather - S1231 (bf064476-25b8-493c-a1e7-dd707b3f7f52)	Malware	Input Capture - T1417 (a8c31121-852b-46bd-9ba4-674ae5afe7ad)	Attack Pattern	1
GodFather - S1231 (bf064476-25b8-493c-a1e7-dd707b3f7f52)	Malware	System Information Discovery - T1426 (e2ea7f6b-8d4f-49c3-819d-660530d12b77)	Attack Pattern	1
GodFather - S1231 (bf064476-25b8-493c-a1e7-dd707b3f7f52)	Malware	Event Triggered Execution - T1624 (d446b9f0-06a9-4a8d-97ee-298cfee84f14)	Attack Pattern	1
GodFather - S1231 (bf064476-25b8-493c-a1e7-dd707b3f7f52)	Malware	Scheduled Task/Job - T1603 (00290ac5-551e-44aa-bbd8-c4b913488a6d)	Attack Pattern	1
GodFather - S1231 (bf064476-25b8-493c-a1e7-dd707b3f7f52)	Malware	Software Discovery - T1418 (198ce408-1470-45ee-b47f-7056050d4fc2)	Attack Pattern	1
GodFather - S1231 (bf064476-25b8-493c-a1e7-dd707b3f7f52)	Malware	Input Injection - T1516 (d1f1337e-aea7-454c-86bd-482a98ffaf62)	Attack Pattern	1
GodFather - S1231 (bf064476-25b8-493c-a1e7-dd707b3f7f52)	Malware	Phishing - T1660 (defc1257-4db1-4fb3-8ef5-bb77f63146df)	Attack Pattern	1
GodFather - S1231 (bf064476-25b8-493c-a1e7-dd707b3f7f52)	Malware	Prevent Application Removal - T1629.001 (dc01774a-d1c1-45fb-b506-0a5d1d6593d9)	Attack Pattern	1
GodFather - S1231 (bf064476-25b8-493c-a1e7-dd707b3f7f52)	Malware	Match Legitimate Name or Location - T1655.001 (114fed8b-7eed-4136-8b9c-411c5c7fff4b)	Attack Pattern	1
GodFather - S1231 (bf064476-25b8-493c-a1e7-dd707b3f7f52)	Malware	Keylogging - T1417.001 (b1c95426-2550-4621-8028-ceebf28b3a47)	Attack Pattern	1
GodFather - S1231 (bf064476-25b8-493c-a1e7-dd707b3f7f52)	Malware	Call Control - T1616 (351ddf79-2d3a-41b4-9bef-82ea5d3ccd69)	Attack Pattern	1
GodFather - S1231 (bf064476-25b8-493c-a1e7-dd707b3f7f52)	Malware	Native API - T1575 (52eff1c7-dd30-4121-b762-24ae6fa61bbb)	Attack Pattern	1
GodFather - S1231 (bf064476-25b8-493c-a1e7-dd707b3f7f52)	Malware	Abuse Accessibility Features - T1453 (2204c371-6100-4ae0-82f3-25c07c29772a)	Attack Pattern	1
GodFather - S1231 (bf064476-25b8-493c-a1e7-dd707b3f7f52)	Malware	Hooking - T1617 (ccde43e4-78f9-4f32-b401-c081e7db71ea)	Attack Pattern	1
GodFather - S1231 (bf064476-25b8-493c-a1e7-dd707b3f7f52)	Malware	Web Protocols - T1437.001 (2282a98b-5049-4f61-9381-55baca7c1add)	Attack Pattern	1
Contact List - T1636.003 (e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86)	Attack Pattern	Protected User Data - T1636 (11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e)	Attack Pattern	2
SMS Messages - T1636.004 (c6421411-ae61-42bb-9098-73fddb315002)	Attack Pattern	Protected User Data - T1636 (11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e)	Attack Pattern	2
Impair Defenses - T1629 (20b0931a-8952-42ca-975f-775bad295f1a)	Attack Pattern	Prevent Application Removal - T1629.001 (dc01774a-d1c1-45fb-b506-0a5d1d6593d9)	Attack Pattern	2
Match Legitimate Name or Location - T1655.001 (114fed8b-7eed-4136-8b9c-411c5c7fff4b)	Attack Pattern	Masquerading - T1655 (f856eaab-e84a-4265-a8a2-7bf37e5dc2fc)	Attack Pattern	2
Input Capture - T1417 (a8c31121-852b-46bd-9ba4-674ae5afe7ad)	Attack Pattern	Keylogging - T1417.001 (b1c95426-2550-4621-8028-ceebf28b3a47)	Attack Pattern	2
Web Protocols - T1437.001 (2282a98b-5049-4f61-9381-55baca7c1add)	Attack Pattern	Application Layer Protocol - T1437 (6a3f6490-9c44-40de-b059-e5940f246673)	Attack Pattern	2