Junior Malware Analyst
Godfather’s international targets
Figure 1: Who and where Godfather targets
Gone but not forgotten: Anubis, we recognize you
Comparison of Godfather and Anubis
Figure 3: A Telegram user asking for a review of the Godfather banking trojan
Figure 4: Godfather’s network infrastructure, as detailed by Group-IB’s Graph Network Analysis tool
Figure 5: Replicated DNS A records for Godfather's C&C addresses
Figure 7: Google Protect animation
Checking system language and context
Initialization of SharedPreferences parameters
A service for requesting access to AccessibilityService
A service for communicating with the C&C server
Figure 8: Communication between Godfather and C&C addresses
Figure 9: Example of Telegram channel with encrypted C&C address
The field contains one of the following:
Information about events tracked by the keylogger:
This request is executed if the size of the collected information exceeds 12,000 bytes.
Information about received SMS messages (the new, September 2022 version does not have this feature).
Contents of fields used for entering PINs or passwords.
Figure 10: How Godfather connects to remote VNC clients
Recommendations on how to protect against Godfather
If you found this article helpful, share it with your friends!