| mobile |
T1453 |
Abuse Accessibility Features |
GodFather has abused the accessibility service to prevent the user from uninstalling GodFather, to exfiltrate Google Authenticator one-time passwords and to steal credentials. |
| mobile |
T1437 |
Application Layer Protocol |
- |
| mobile |
T1437.001 |
Web Protocols |
GodFather has leveraged WebSockets for C2. |
| mobile |
T1429 |
Audio Capture |
GodFather has requested for the RECORD_AUDIO permission to record audio with the microphone. |
| mobile |
T1616 |
Call Control |
GodFather has requested for the CALL_PHONE permission to initiate phone calls. |
| mobile |
T1624 |
Event Triggered Execution |
GodFather has executed when victims utilize their trusted banking apps, as the malware redirects the victim to using a malicious version of the banking app. |
| mobile |
T1646 |
Exfiltration Over C2 Channel |
GodFather has exfiltrated sensitive information over C2. |
| mobile |
T1617 |
Hooking |
GodFather has used the Xposed hooking framework to intercept HTTP requests and responses, capturing and exfiltrating sensitive information, such as credentials. |
| mobile |
T1629 |
Impair Defenses |
GodFather has intercepted API returns from banking apps that detect malicious services, and modifies the methods to return back an empty list hiding the presence of the malware and other active services. |
| mobile |
T1629.001 |
Prevent Application Removal |
GodFather has abused the accessibility service to prevent the user from uninstalling itself. |
| mobile |
T1630 |
Indicator Removal on Host |
GodFather has requested for the WRITE_EXTERNAL_STORAGE permission to delete files in the device’s external storage. |
| mobile |
T1544 |
Ingress Tool Transfer |
GodFather has downloaded Google Play Store, Google Play services and Google Services Framework APK to a virtual folder. |
| mobile |
T1417 |
Input Capture |
GodFather has the captured information about the device’s screen to include detailed tap events. |
| mobile |
T1417.001 |
Keylogging |
GodFather has intercepted and recorded sensitive information from the application to include user credentials. GodFather has also leveraged a deceptive overlay that tricks users into submitting their device lock credentials which are captured. |
| mobile |
T1516 |
Input Injection |
GodFather has abused the Accessibility Service to mimic victims’ actions and to redirect victims to its StubActivity when the victims attempt to use the original, legitimate banking application. |
| mobile |
T1655 |
Masquerading |
- |
| mobile |
T1655.001 |
Match Legitimate Name or Location |
GodFather has imitated Google Play Protect, a security application pre-installed on all Android devices, and its functionalities, such as scanning the device and requesting for the accessibility service. |
| mobile |
T1575 |
Native API |
GodFather has hooked onto the getEnabledAccessibilityServiceList API to return an empty list of active services, which hides GodFather and other active services. |
| mobile |
T1406 |
Obfuscated Files or Information |
GodFather has obfuscated its Android manifest file with irrelevant permissions and manifest strings. |
| mobile |
T1660 |
Phishing |
GodFather has generated fake notifications to lure the victim to phishing pages. |
| mobile |
T1636 |
Protected User Data |
- |
| mobile |
T1636.003 |
Contact List |
GodFather has accessed the device’s contact list. |
| mobile |
T1636.004 |
SMS Messages |
GodFather has requested for the Read_SMS permission to access SMS messages. |
| mobile |
T1603 |
Scheduled Task/Job |
GodFather has utilized a timer to initiate a WebSocket connection. |
| mobile |
T1582 |
SMS Control |
GodFather has requested for the SEND_SMS permission to send SMS messages. |
| mobile |
T1418 |
Software Discovery |
GodFather has gathered a list of installed applications. |
| mobile |
T1426 |
System Information Discovery |
GodFather has the ability to gain remote control of the victim device and to gather data associated with the device, including battery level, sound settings, and device brightness. GodFather has also obtained the phone’s state, including network information, phone number, and serial number. |
| mobile |
T1422 |
System Network Configuration Discovery |
GodFather has accessed the device’s current cellular network information, including the phone number and the serial number. |
| mobile |
T1670 |
Virtualization Solution |
GodFather has used virtualization to create a separate virtual environment that mimicked legitimate banking and cryptocurrency applications. |