GodFather - S1231 (bf064476-25b8-493c-a1e7-dd707b3f7f52)

GodFather is an Android banking malware that uses virtualization to mimic legitimate applications and abuses accessibility services and other permissions to evade detection and exfiltrate sensitive data. First identified in 2020, GodFather targets nearly 500 banking applications, cryptocurrency wallets, and exchanges worldwide; however, its virtualization-based attacks have primarily focused on several Turkish financial institutions. This capability enables threat actors to steal banking credentials and other sensitive account information. (Citation: ZimperiumOrtegaPratapagiri_GodFather_Jun2025)(Citation: MerkleScience_Godfather_April2023)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
GodFather - S1231 (bf064476-25b8-493c-a1e7-dd707b3f7f52)	Malware	System Network Configuration Discovery - T1422 (d4536441-1bcc-49fa-80ae-a596ed3f7ffd)	Attack Pattern	1
Indicator Removal on Host - T1630 (0d4e3bbb-7af5-4c88-a215-0c0906bc1e8d)	Attack Pattern	GodFather - S1231 (bf064476-25b8-493c-a1e7-dd707b3f7f52)	Malware	1
GodFather - S1231 (bf064476-25b8-493c-a1e7-dd707b3f7f52)	Malware	SMS Control - T1582 (b327a9c0-e709-495c-aa6e-00b042136e2b)	Attack Pattern	1
GodFather - S1231 (bf064476-25b8-493c-a1e7-dd707b3f7f52)	Malware	Contact List - T1636.003 (e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86)	Attack Pattern	1
GodFather - S1231 (bf064476-25b8-493c-a1e7-dd707b3f7f52)	Malware	Exfiltration Over C2 Channel - T1646 (32063d7f-0a39-440d-a4a3-2694488f96cc)	Attack Pattern	1
GodFather - S1231 (bf064476-25b8-493c-a1e7-dd707b3f7f52)	Malware	Impair Defenses - T1629 (20b0931a-8952-42ca-975f-775bad295f1a)	Attack Pattern	1
GodFather - S1231 (bf064476-25b8-493c-a1e7-dd707b3f7f52)	Malware	Obfuscated Files or Information - T1406 (d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a)	Attack Pattern	1
Ingress Tool Transfer - T1544 (2bb20118-e6c0-41dc-a07c-283ea4dd0fb8)	Attack Pattern	GodFather - S1231 (bf064476-25b8-493c-a1e7-dd707b3f7f52)	Malware	1
GodFather - S1231 (bf064476-25b8-493c-a1e7-dd707b3f7f52)	Malware	SMS Messages - T1636.004 (c6421411-ae61-42bb-9098-73fddb315002)	Attack Pattern	1
Virtualization Solution - T1670 (8e097ec5-1755-41d6-807c-3882442b818a)	Attack Pattern	GodFather - S1231 (bf064476-25b8-493c-a1e7-dd707b3f7f52)	Malware	1
GodFather - S1231 (bf064476-25b8-493c-a1e7-dd707b3f7f52)	Malware	Input Capture - T1417 (a8c31121-852b-46bd-9ba4-674ae5afe7ad)	Attack Pattern	1
GodFather - S1231 (bf064476-25b8-493c-a1e7-dd707b3f7f52)	Malware	System Information Discovery - T1426 (e2ea7f6b-8d4f-49c3-819d-660530d12b77)	Attack Pattern	1
Event Triggered Execution - T1624 (d446b9f0-06a9-4a8d-97ee-298cfee84f14)	Attack Pattern	GodFather - S1231 (bf064476-25b8-493c-a1e7-dd707b3f7f52)	Malware	1
Scheduled Task/Job - T1603 (00290ac5-551e-44aa-bbd8-c4b913488a6d)	Attack Pattern	GodFather - S1231 (bf064476-25b8-493c-a1e7-dd707b3f7f52)	Malware	1
GodFather - S1231 (bf064476-25b8-493c-a1e7-dd707b3f7f52)	Malware	Software Discovery - T1418 (198ce408-1470-45ee-b47f-7056050d4fc2)	Attack Pattern	1
GodFather - S1231 (bf064476-25b8-493c-a1e7-dd707b3f7f52)	Malware	Input Injection - T1516 (d1f1337e-aea7-454c-86bd-482a98ffaf62)	Attack Pattern	1
GodFather - S1231 (bf064476-25b8-493c-a1e7-dd707b3f7f52)	Malware	Phishing - T1660 (defc1257-4db1-4fb3-8ef5-bb77f63146df)	Attack Pattern	1
Prevent Application Removal - T1629.001 (dc01774a-d1c1-45fb-b506-0a5d1d6593d9)	Attack Pattern	GodFather - S1231 (bf064476-25b8-493c-a1e7-dd707b3f7f52)	Malware	1
Match Legitimate Name or Location - T1655.001 (114fed8b-7eed-4136-8b9c-411c5c7fff4b)	Attack Pattern	GodFather - S1231 (bf064476-25b8-493c-a1e7-dd707b3f7f52)	Malware	1
GodFather - S1231 (bf064476-25b8-493c-a1e7-dd707b3f7f52)	Malware	Keylogging - T1417.001 (b1c95426-2550-4621-8028-ceebf28b3a47)	Attack Pattern	1
GodFather - S1231 (bf064476-25b8-493c-a1e7-dd707b3f7f52)	Malware	Call Control - T1616 (351ddf79-2d3a-41b4-9bef-82ea5d3ccd69)	Attack Pattern	1
Native API - T1575 (52eff1c7-dd30-4121-b762-24ae6fa61bbb)	Attack Pattern	GodFather - S1231 (bf064476-25b8-493c-a1e7-dd707b3f7f52)	Malware	1
GodFather - S1231 (bf064476-25b8-493c-a1e7-dd707b3f7f52)	Malware	Abuse Accessibility Features - T1453 (2204c371-6100-4ae0-82f3-25c07c29772a)	Attack Pattern	1
GodFather - S1231 (bf064476-25b8-493c-a1e7-dd707b3f7f52)	Malware	Hooking - T1617 (ccde43e4-78f9-4f32-b401-c081e7db71ea)	Attack Pattern	1
GodFather - S1231 (bf064476-25b8-493c-a1e7-dd707b3f7f52)	Malware	Web Protocols - T1437.001 (2282a98b-5049-4f61-9381-55baca7c1add)	Attack Pattern	1
GodFather - S1231 (bf064476-25b8-493c-a1e7-dd707b3f7f52)	Malware	Audio Capture - T1429 (6683aa0c-d98a-4f5b-ac57-ca7e9934a760)	Attack Pattern	1
Contact List - T1636.003 (e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86)	Attack Pattern	Protected User Data - T1636 (11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e)	Attack Pattern	2
SMS Messages - T1636.004 (c6421411-ae61-42bb-9098-73fddb315002)	Attack Pattern	Protected User Data - T1636 (11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e)	Attack Pattern	2
Prevent Application Removal - T1629.001 (dc01774a-d1c1-45fb-b506-0a5d1d6593d9)	Attack Pattern	Impair Defenses - T1629 (20b0931a-8952-42ca-975f-775bad295f1a)	Attack Pattern	2
Match Legitimate Name or Location - T1655.001 (114fed8b-7eed-4136-8b9c-411c5c7fff4b)	Attack Pattern	Masquerading - T1655 (f856eaab-e84a-4265-a8a2-7bf37e5dc2fc)	Attack Pattern	2
Input Capture - T1417 (a8c31121-852b-46bd-9ba4-674ae5afe7ad)	Attack Pattern	Keylogging - T1417.001 (b1c95426-2550-4621-8028-ceebf28b3a47)	Attack Pattern	2
Application Layer Protocol - T1437 (6a3f6490-9c44-40de-b059-e5940f246673)	Attack Pattern	Web Protocols - T1437.001 (2282a98b-5049-4f61-9381-55baca7c1add)	Attack Pattern	2