1 min

Germany’s finance regulator reports that more than 400 banking and cryptocurrency applications worldwide have been attacked by a malware variant known as ‘Godfather’.

The German Federal Financial Supervisory Authority (BaFin) said it’s unclear how the malware infects users’ devices at the time of writing. The regulator said that it’s collecting user input on banking and cryptocurrency apps.

Earlier reports on the Godfather trojan suggest that attackers attempt to mislead users into inputting their login credentials on malicious apps disguised as legitimate banking apps.

How Godfather spreads

Godfather reportedly imitates the Google Protect program and requests access to the Accessibility Service after it’s installed.

The malware can access messages, contacts and notifications when given access. Furthermore, it’s capable of recording screens, making phone calls and writing to external storage.

The malware sends push notifications to get two-factor authentication codes. According to BaFin, the threat actors behind the attacks could access customers’ accounts and wallets using personal data.


Initial warnings of the Godfather malware surfaced in December. According to reports, the malware infected Android smartphones and attacked individuals in 16 countries.

Cybersecurity experts from Group-IB, who first discovered the malware in 2021, say the trojan’s code has been updated multiple times. The upgrades have resulted in a noticeable spike in recent activity.

Tip: Group-IB tracks down massive investment fraud network