S1231: GodFather
GodFather is an Android banking malware that uses virtualization to mimic legitimate applications and abuses accessibility services and other permissions to evade detection and exfiltrate sensitive data. First identified in 2020, GodFather targets nearly 500 banking applications, cryptocurrency wallets, and exchanges worldwide; however, its virtualization-based attacks have primarily focused on several Turkish financial institutions. This capability enables threat actors to steal banking credentials and other sensitive account information. [1][2]
Analyst context for executives and security teams
GodFather matters because it represents mobile banking malware aimed at credentials and sensitive account data on Android devices. The supplied ATT&CK record highlights virtualization-based mimicry of legitimate apps, abuse of accessibility services, permission misuse, input capture, SMS/call-related capabilities, discovery, persistence-style triggers, defense impairment, and exfiltration over command-and-control. For leaders, the practical issue is not just “mobile malware exists”; it is whether the organization can govern risky Android permissions, detect suspicious app behavior on managed devices, and support incident response when employee or customer financial workflows intersect with compromised mobile endpoints.
Executive priority
Prioritize GodFather as a mobile identity and fraud-readiness concern where Android devices are used for banking, cryptocurrency, privileged business workflows, SMS-based verification, or employee access to sensitive accounts. Executives should ask whether mobile device management, mobile threat defense, identity controls, and incident response playbooks can prove coverage for accessibility abuse, suspicious permissions, app impersonation, SMS/call manipulation, and data exfiltration. The ATT&CK object does not provide official detection guidance, so coverage should be validated through local telemetry and control evidence rather than assumed.
Technical view
SOC, detection engineering, and IR teams should validate Android-focused monitoring against the related behaviors: obfuscated files or information, input capture and keylogging, installed software discovery, device and network discovery, audio capture, web-protocol C2, accessibility abuse, input injection, tool transfer, native API use, SMS and call control, scheduled or event-triggered execution, defense impairment, prevention of app removal, host indicator removal, contact/SMS collection, exfiltration over C2, and matching legitimate app names or locations. Because GodFather is described as using virtualization to mimic legitimate applications, teams should also scrutinize app identity, package naming, icon/name similarity, permission grants, and runtime behavior rather than relying only on static reputation.
Likely telemetry
- Android application inventory, package names, signing information, install source, app icons/names, and version metadata
- Permission grant history, especially accessibility services, SMS, contacts, microphone/audio, phone/call, and device administration capabilities
- Mobile device management or mobile threat defense alerts for suspicious app behavior, prevent-uninstall behavior, defense impairment, or indicator removal
- Accessibility service enablement and anomalous UI automation or input injection events where available
- SMS and call-related events, including unexpected send/receive/control behavior where policy and privacy rules allow collection
Detection direction
- Start with permission-and-behavior correlation: an app requesting accessibility, SMS, contacts, microphone, phone, device admin, or broad discovery capabilities is more material when combined with app impersonation, obfuscation, C2-like web traffic, or attempts to prevent removal.
- Tune for app masquerading and virtualization-related risk by comparing package names, app labels, icons, signing certificates, install source, and behavior against expected legitimate applications; avoid relying only on name or icon matching.
- Validate mobile telemetry coverage before writing high-confidence detections. The ATT&CK object provides no official detection section, so teams should confirm what MDM/MTD, endpoint, network, and identity systems actually record for Android devices.
- Use relationship-driven context to reduce false positives: accessibility services, scheduled jobs, native APIs, and web protocols can be legitimate, so prioritize combinations involving sensitive permission abuse, input capture, SMS/call control, exfiltration, defense impairment, or prevent-removal behavior.
- Investigate suspicious credential or account events alongside mobile evidence, especially where SMS messages, accessibility prompts, or banking/cryptocurrency applications are part of the user workflow.
Mitigation priorities
- Establish a clear Android mobile risk baseline: managed device enrollment where appropriate, approved app sources, application inventory, and policy enforcement for sensitive business use cases.
- Restrict and review high-risk permissions and capabilities, especially accessibility services, SMS, contacts, microphone, phone/call controls, and device administrator privileges; require business justification for managed devices.
- Harden identity workflows that depend on mobile devices or SMS-based verification by using stronger authentication and fraud-resistant controls where feasible.
- Deploy or validate mobile threat defense and MDM controls for suspicious permissions, app impersonation, prevent-uninstall behavior, defense impairment, and risky network activity.
- Prepare incident response procedures for compromised Android devices, including isolation, evidence preservation, credential reset decisions, account monitoring, and safe app removal or device wipe when required.
Analyst notes and limits
This take is based on ATT&CK S1231 for GodFather and its supplied relationships. The record identifies GodFather as Android banking malware first identified in 2020, targeting nearly 500 banking applications, cryptocurrency wallets, and exchanges worldwide, with virtualization-based attacks primarily focused on several Turkish financial institutions. The relationship set is broad and indicates behaviors defenders should validate across Android permissions, accessibility abuse, discovery, C2, exfiltration, persistence-like execution, and evasion/defense impairment.
MITRE provides no official detection text for this object, no tactics in the supplied fields, and no aliases or labels. The supplied data supports Android only. This summary does not assert current activity, attribution, customer exposure, or guaranteed detectability. Local device management, mobile telemetry, privacy constraints, and business use of Android devices determine practical coverage and risk.
GodFather
GodFather is an Android banking malware that uses virtualization to mimic legitimate applications and abuses accessibility services and other permissions to evade detection and exfiltrate sensitive data. First identified in 2020, GodFather targets nearly 500 banking applications, cryptocurrency wallets, and exchanges worldwide; however, its virtualization-based attacks have primarily focused on several Turkish financial institutions. This capability enables threat actors to steal banking credentials and other sensitive account information. [1][2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1624 | Event Triggered Execution | GodFather has executed when victims utilize their trusted banking apps, as the malware redirects the victim to using a malicious version of the banking app.CitationZimperiumOrtegaPratapagiri_GodFather_Jun2025 |
| Mobile | T1670 | Virtualization Solution | GodFather has used virtualization to create a separate virtual environment that mimicked legitimate banking and cryptocurrency applications.CitationZimperiumOrtegaPratapagiri_GodFather_Jun2025 |
| Mobile | T1655.001 | Match Legitimate Name or Location Sub-technique | GodFather has imitated Google Play Protect, a security application pre-installed on all Android devices, and its functionalities, such as scanning the device and requesting for the accessibility service.CitationMerkleScience_Godfather_April2023 |
| Mobile | T1437.001 | Web Protocols Sub-technique | GodFather has leveraged WebSockets for C2.CitationZimperiumOrtegaPratapagiri_GodFather_Jun2025 |
| Mobile | T1629 | Impair Defenses | GodFather has intercepted API returns from banking apps that detect malicious services, and modifies the methods to return back an empty list hiding the presence of the malware and other active services.CitationZimperiumOrtegaPratapagiri_GodFather_Jun2025 |
| Mobile | T1575 | Native API | |
| Mobile | T1630 | Indicator Removal on Host | GodFather has requested for the `WRITE_EXTERNAL_STORAGE` permission to delete files in the device’s external storage.CitationMerkleScience_Godfather_April2023 |
| Mobile | T1636.004 | SMS Messages Sub-technique | GodFather has requested for the `Read_SMS` permission to access SMS messages.CitationMerkleScience_Godfather_April2023 |
| Mobile | T1429 | Audio Capture | GodFather has requested for the `RECORD_AUDIO` permission to record audio with the microphone.CitationMerkleScience_Godfather_April2023 |
| Mobile | T1636.003 | Contact List Sub-technique | GodFather has accessed the device’s contact list.CitationMerkleScience_Godfather_April2023 |
| Mobile | T1646 | Exfiltration Over C2 Channel | GodFather has exfiltrated sensitive information over C2.CitationZimperiumOrtegaPratapagiri_GodFather_Jun2025CitationMerkleScience_Godfather_April2023 |
| Mobile | T1629.001 | Prevent Application Removal Sub-technique | GodFather has abused the accessibility service to prevent the user from uninstalling itself.CitationMerkleScience_Godfather_April2023 |
| Mobile | T1617 | Hooking | GodFather has used the Xposed hooking framework to intercept HTTP requests and responses, capturing and exfiltrating sensitive information, such as credentials.CitationZimperiumOrtegaPratapagiri_GodFather_Jun2025 |
| Mobile | T1417.001 | Keylogging Sub-technique | |
| Mobile | T1422 | System Network Configuration Discovery | GodFather has accessed the device’s current cellular network information, including the phone number and the serial number.CitationMerkleScience_Godfather_April2023 |
| Mobile | T1603 | Scheduled Task/Job | GodFather has utilized a timer to initiate a WebSocket connection.CitationZimperiumOrtegaPratapagiri_GodFather_Jun2025 |
| Mobile | T1544 | Ingress Tool Transfer | GodFather has downloaded Google Play Store, Google Play services and Google Services Framework APK to a virtual folder.CitationZimperiumOrtegaPratapagiri_GodFather_Jun2025 |
| Mobile | T1453 | Abuse Accessibility Features | |
| Mobile | T1516 | Input Injection | GodFather has abused the Accessibility Service to mimic victims’ actions and to redirect victims to its StubActivity when the victims attempt to use the original, legitimate banking application.CitationZimperiumOrtegaPratapagiri_GodFather_Jun2025 |
| Mobile | T1418 | Software Discovery | GodFather has gathered a list of installed applications.CitationZimperiumOrtegaPratapagiri_GodFather_Jun2025CitationMerkleScience_Godfather_April2023 |
| Mobile | T1426 | System Information Discovery | GodFather has the ability to gain remote control of the victim device and to gather data associated with the device, including battery level, sound settings, and device brightness.CitationZimperiumOrtegaPratapagiri_GodFather_Jun2025 GodFather has also obtained the phone's state, including network information, phone number, and serial number.CitationMerkleScience_Godfather_April2023 |
| Mobile | T1616 | Call Control | GodFather has requested for the `CALL_PHONE` permission to initiate phone calls.CitationMerkleScience_Godfather_April2023 |
| Mobile | T1660 | Phishing | GodFather has generated fake notifications to lure the victim to phishing pages.CitationMerkleScience_Godfather_April2023 |
| Mobile | T1406 | Obfuscated Files or Information | GodFather has obfuscated its Android manifest file with irrelevant permissions and manifest strings.CitationZimperiumOrtegaPratapagiri_GodFather_Jun2025 |
| Mobile | T1582 | SMS Control | GodFather has requested for the `SEND_SMS` permission to send SMS messages.CitationMerkleScience_Godfather_April2023 |
| Mobile | T1417 | Input Capture | GodFather has the captured information about the device's screen to include detailed tap events.CitationZimperiumOrtegaPratapagiri_GodFather_Jun2025 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | e9566ee27d57… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
ZimperiumOrtegaPratapagiri_GodFather_Jun2025
Ortega, F. Pratapagiri, V. (2025, June 18). Your Mobile App, Their Playground: The Dark Side of Virtualization. Retrieved July 16, 2025.
Open source URL -
[2]
MerkleScience_Godfather_April2023
Merkle Science. (2023, April 25). The Godfather Android Malware: Threat under the lens. Retrieved July 16, 2025.
Open source URL -
[3]
mitre-attack S1231Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.