{"description": "Mobile techniques used by GodFather, ATT&CK software S1231 (v1.0)", "name": "GodFather (S1231)", "domain": "mobile-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1453", "comment": "[GodFather](https://attack.mitre.org/software/S1231) has abused the accessibility service to prevent the user from uninstalling [GodFather](https://attack.mitre.org/software/S1231), to exfiltrate Google Authenticator one-time passwords and to steal credentials.(Citation: MerkleScience_Godfather_April2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1437", "showSubtechniques": true}, {"techniqueID": "T1437.001", "comment": "[GodFather](https://attack.mitre.org/software/S1231) has leveraged WebSockets for C2.(Citation: ZimperiumOrtegaPratapagiri_GodFather_Jun2025)   ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1429", "comment": "[GodFather](https://attack.mitre.org/software/S1231) has requested for the `RECORD_AUDIO` permission to record audio with the microphone.(Citation: MerkleScience_Godfather_April2023) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1616", "comment": "[GodFather](https://attack.mitre.org/software/S1231) has requested for the `CALL_PHONE` permission to initiate phone calls.(Citation: MerkleScience_Godfather_April2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1624", "comment": "[GodFather](https://attack.mitre.org/software/S1231) has executed when victims utilize their trusted banking apps, as the malware redirects the victim to using a malicious version of the banking app.(Citation: ZimperiumOrtegaPratapagiri_GodFather_Jun2025)   ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1646", "comment": "[GodFather](https://attack.mitre.org/software/S1231) has exfiltrated sensitive information over C2.(Citation: ZimperiumOrtegaPratapagiri_GodFather_Jun2025)(Citation: MerkleScience_Godfather_April2023) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1617", "comment": "[GodFather](https://attack.mitre.org/software/S1231) has used the Xposed hooking framework to intercept HTTP requests and responses, capturing and exfiltrating sensitive information, such as credentials.(Citation: ZimperiumOrtegaPratapagiri_GodFather_Jun2025)  ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1629", "comment": "[GodFather](https://attack.mitre.org/software/S1231) has intercepted API returns from banking apps that detect malicious services, and modifies the methods to return back an empty list hiding the presence of the malware and other active services.(Citation: ZimperiumOrtegaPratapagiri_GodFather_Jun2025) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1629.001", "comment": "[GodFather](https://attack.mitre.org/software/S1231) has abused the accessibility service to prevent the user from uninstalling itself.(Citation: MerkleScience_Godfather_April2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1630", "comment": "[GodFather](https://attack.mitre.org/software/S1231) has requested for the `WRITE_EXTERNAL_STORAGE` permission to delete files in the device\u2019s external storage.(Citation: MerkleScience_Godfather_April2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1544", "comment": "[GodFather](https://attack.mitre.org/software/S1231) has downloaded Google Play Store, Google Play services and Google Services Framework APK to a virtual folder.(Citation: ZimperiumOrtegaPratapagiri_GodFather_Jun2025)  ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1417", "comment": "[GodFather](https://attack.mitre.org/software/S1231) has the captured information about the device's screen to include detailed tap events.(Citation: ZimperiumOrtegaPratapagiri_GodFather_Jun2025)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1417.001", "comment": "[GodFather](https://attack.mitre.org/software/S1231) has intercepted and recorded sensitive information from the application to include user credentials. [GodFather](https://attack.mitre.org/software/S1231) has also leveraged a deceptive overlay that tricks users into submitting their device lock credentials which are captured.(Citation: ZimperiumOrtegaPratapagiri_GodFather_Jun2025) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1516", "comment": "[GodFather](https://attack.mitre.org/software/S1231) has abused the Accessibility Service to mimic victims\u2019 actions and to redirect victims to its StubActivity when the victims attempt to use the original, legitimate banking application.(Citation: ZimperiumOrtegaPratapagiri_GodFather_Jun2025) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1655", "showSubtechniques": true}, {"techniqueID": "T1655.001", "comment": "[GodFather](https://attack.mitre.org/software/S1231) has imitated Google Play Protect, a security application pre-installed on all Android devices, and its functionalities, such as scanning the device and requesting for the accessibility service.(Citation: MerkleScience_Godfather_April2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1575", "comment": "[GodFather](https://attack.mitre.org/software/S1231) has hooked onto the `getEnabledAccessibilityServiceList` API to return an empty list of active services, which hides [GodFather](https://attack.mitre.org/software/S1231) and other active services.(Citation: ZimperiumOrtegaPratapagiri_GodFather_Jun2025)  ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1406", "comment": "[GodFather](https://attack.mitre.org/software/S1231) has obfuscated its Android manifest file with irrelevant permissions and manifest strings.(Citation: ZimperiumOrtegaPratapagiri_GodFather_Jun2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1660", "comment": "[GodFather](https://attack.mitre.org/software/S1231) has generated fake notifications to lure the victim to phishing pages.(Citation: MerkleScience_Godfather_April2023) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1636", "showSubtechniques": true}, {"techniqueID": "T1636.003", "comment": "[GodFather](https://attack.mitre.org/software/S1231) has accessed the device\u2019s contact list.(Citation: MerkleScience_Godfather_April2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1636.004", "comment": "[GodFather](https://attack.mitre.org/software/S1231) has requested for the `Read_SMS` permission to access SMS messages.(Citation: MerkleScience_Godfather_April2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1603", "comment": "[GodFather](https://attack.mitre.org/software/S1231) has utilized a timer to initiate a WebSocket connection.(Citation: ZimperiumOrtegaPratapagiri_GodFather_Jun2025)   ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1582", "comment": "[GodFather](https://attack.mitre.org/software/S1231) has requested for the `SEND_SMS` permission to send SMS messages.(Citation: MerkleScience_Godfather_April2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1418", "comment": "[GodFather](https://attack.mitre.org/software/S1231) has gathered a list of installed applications.(Citation: ZimperiumOrtegaPratapagiri_GodFather_Jun2025)(Citation: MerkleScience_Godfather_April2023) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1426", "comment": "[GodFather](https://attack.mitre.org/software/S1231) has the ability to gain remote control of the victim device and to gather data associated with the device, including battery level, sound settings, and device brightness.(Citation: ZimperiumOrtegaPratapagiri_GodFather_Jun2025) [GodFather](https://attack.mitre.org/software/S1231) has also obtained the phone's state, including network information, phone number, and serial number.(Citation: MerkleScience_Godfather_April2023) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1422", "comment": "[GodFather](https://attack.mitre.org/software/S1231) has accessed the device\u2019s current cellular network information, including the phone number and the serial number.(Citation: MerkleScience_Godfather_April2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1670", "comment": "[GodFather](https://attack.mitre.org/software/S1231) has used virtualization to create a separate virtual environment that mimicked legitimate banking and cryptocurrency applications.(Citation: ZimperiumOrtegaPratapagiri_GodFather_Jun2025)  ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by GodFather", "color": "#66b1ff"}]}