BaFin warns of new Godfather banking and crypto malware

Tuesday 10 January 2023 10:38 CET | News

Germany’s Federal Financial Supervisory Authority (BaFin) has issued a warning about a new crypto malware named Godfather.


The new malware was designed to collect user data, and it is targeting primarily banking and cryptocurrency applications. Once it infects a device, the malware begins to display fake websites of regular banking and crypto apps in order to steal the login data of users. BaFin revealed that the malware is targeting around 400 banking and crypto apps, including those operating in Germany. 

We also know that Godfather relies on push notifications to obtain two-factor authentication codes, and that cybercriminals can use this data to gain access to consumers’ accounts and wallets. 

Godfather first came into the spotlight in December 2022, when reports surfaced that it was infecting Android devices and targeting users in 16 countries. The Godfather trojan was reportedly uncovered for the first time in 2021 by cybersecurity experts from Group-IB. Since then, the malware has been improved via code upgrades, and it is now predominantly targeting banking apps from the US. 

Other affected countries include Germany, Spain, Turkey, and Canada. Godfather can affect 110 cryptocurrency exchange platforms and 94 cryptocurrency wallet apps according to


Germany’s Federal Financial Supervisory Authority (BaFin) has issued a warning about a new crypto malware named Godfather.


More information about the Godfather malware

According to, once Godfather is installed, it begins to imitate the Google Protect tool. While doing so, it asks the user for access to the Accessibility Service. If the user grants access to the Accessibility Service, the malware can access SMSs, contacts, and notifications. It can also record the user’s screen, make calls, and write to external storage. 

By taking advantage of the Accessibility Service, Godfather can prevent victims from removing the malware from their devices. It can also obtain Google Authenticator one-time passwords, steal data from PIN and password fields, and process various commands. 

It is worth noting that the malware does not operate on Android devices that have their language set to, Azerbaijani, Belarusian, Kazakh, Kyrgyz, Moldovan, Russian, Tajik, Uzbek or Armenian. 

The malware is being distributed using deceptive applications on Google Play Store mimicking legitimate applications. Some of the symptoms of an infected device include system settings being modified without the user’s permission, general sluggish performance, an increase in data and battery usage, intrusive advertisements, and browsers redirecting to questionable websites. 

In order to prevent infection, users should make sure that Google Play Protect is always enabled on their devices. Moreover, they should be careful when opening links or files received via email or SMS.

More: Link

Free Headlines in your E-mail

Every day we send out a free e-mail with the most important headlines of the last 24 hours.

Subscribe now

Keywords: crypto, malware, BaFin, data protection
Categories: DeFi & Crypto & Web3
Companies: BaFin
Countries: Germany
This article is part of category

DeFi & Crypto & Web3


Discover all the Company news on BaFin and other articles related to BaFin in The Paypers News, Reports, and insights on the payments and fintech industry:

Industry Events