Skip to main content

Home Godfather Android malware

Godfather Android malware

Category: Malware

Type: Trojan

Platform: Android

Damage potential: Data theft and exfiltration, espionage and surveillance, installation of additional malware, system manipulation and control, further propagation and spreading to other devices.


The Godfather Android malware is a sophisticated banking trojan that can steal data from over 400 baking sites and cryptocurrency exchanges. It likely has a Russian origin because while it does target users from various countries, it’s set not to target anyone whose device language is set to Russian, Azerbaijani, Armenian, Belarusian, Kazakh, Kyrgyz, Moldovan, Uzbek, or Tajik.

This malware can generate fake login screens and display them over legitimate banking and crypto app login forms.

Possible symptoms

The Godfather malware primarily targets banking software, so unexpected notifications that appear to be from a financial institution could be a signal that your system is infected. Other possible symptoms include:

  • Unusual login screens. Banking and cryptocurrency login screens looking different can be a sign of Godfather malware because it is designed to create fake login screens to steal user’s credentials.
  • Suspicious app behavior. We’ve already mentioned login screens, but you should always pay attention if apps suddenly start crashing and freezing. It could be a sign that the malware tried tampering with your installed apps.
  • Decline in performance. Godfather is stealthy and not as resource intensive as some other types of malware. But it is still likely to affect your device performance.
  • Disabled security apps. Various types of malware, including Godfather, aim to disable antivirus software and anti-malware programs.
  • Clipboard changes. Godfather malware may be trying to copy data from your clipboard or paste something itself, such as the attackers’ cryptocurrency wallet address. If you notice that your device doesn’t paste what you copy, stay alert.

Sources of the infection

Godfather is often spread like other types of malware. But because of its specific focus on banking apps, cybercriminals spread Godfather malware via less popular methods such as malicious apps in the Google Play Store. Here’s how it’s often spread:

  • Phishing — using malicious links and attachments in emails and social media messages.
  • Compromised apps — sometimes malicious apps, masquerading as legitimate ones, can be published to official app stores.
  • Pirated software — downloading software from unofficial sources.
  • Malvertising — malicious ads often found on illegal file-sharing websites.


Protecting against Godfather malware primarily comes down to proper cyber hygiene, such as keeping your software up to date and staying cautious with unsolicited links and attachments. But sometimes it’s not enough. While you can’t know if an app on the official app store has been infected with malware, you need to pay attention to even minor changes in how apps are displayed or behave, especially apps connected to the financial industry. Any deviation from the norm may signal that the app is infected with malware.

Godfather malware tries to exploit permissions, so you have to pay attention whenever applications are asking for additional permissions.

You can also use NordVPN’s Threat Protection, a feature that scans files for malware before they’re downloaded to your device.


If you suspect that your device has been infected with Godfather malware, you should first isolate it from the internet and check your banking or cryptocurrency accounts. You should also change your passwords.