Godfather Android Trojan Doesn’t Target Russians

The Godfather, an Android banking Trojan that has targeted the users of more than 400 apps across the globe, has functionality that stops it from attacking users who speak Russian

godfather trojan


Security researchers from Group-IB are warning about the banking Trojan called the Godfather. It targets users of more than 400 apps in 16 countries. However, those speaking Russian or some of the other languages used in the former Soviet Union may feel safe – the Godfather doesn’t target them.

Group-IB has presented its analysis of the Godfather Trojan utilised by cybercriminals since 2021 to attack users of leading banking and crypto exchange applications in 16 countries.

Trojan origin

The virus is very dangerous as it creates convincing web fakes and overlays them on the screens of infected devices. Thus, when a user tries to open a targeted application, attackers steal victims’ login credentials. Then, they try to bypass 2FA to gain access to victims’ accounts.

The research team found out that Godfather is a successor of a widely-used banking Trojan Anubis, whose functionalities were limited. Its source code was leaked back in 2019 and malware developers updated the Trojan to continue attacking users. The criminals modified Anubis’ traffic encryption algorithm, updated Google Authenticator OTPs, and added a separate module for managing virtual network computing connections.

Regional distribution

As of October 2022, 215 banks, 94 crypto wallet providers, and 110 crypto exchange platforms have been targeted. According to Group-IB’s findings, the Godfather has targeted the most banking applications in the US (49 companies), Turkey (31), Spain (30), Canada (22), France (20), Germany (19), and the UK (17).

At the same time, Group-IB found an interesting twist in Godfather’s code. It prevents the Trojan from attacking users who speak Russian or other languages used in the former Soviet Union. The virus checks the system language of the infected device and shuts down if the language is: Russian, Azerbaijani, Armenian, Belarusian, Kazakh, Kyrgyz, Moldovan, Uzbek, or Tajik. Therefore, the researchers suggest that the developers of Godfather are Russian-speaking and come from one of those non-affected countries.


Cybersecurity Lessons Learned from the Blockchain

How to train more cybersecurity savvy employees

Top 5 cybersecurity lessons for banks

Nina Bobro

1461 Posts 0 Comments

Nina is passionate about financial technologies and environmental issues, reporting on the industry news and the most exciting projects that build their offerings around the intersection of fintech and sustainability.