malwarebytes banner


How to remove GodFather malware (Android)

GodFather is the name of a banking trojan that targets Android devices. Developers behind this malware seek to exfiltrate account credentials and use them for accessing 400+ online banking pages and crypto exchanges across 16 countries worldwide. The GodFather trojan functions by creating overlaid log-in screens and displaying them over legitimate apps or web pages. This way, it tricks users into entering their login data on fake screens, which allows threat actors to access finance-related accounts and abuse them for financial fraud. Before GodFather becomes capable of performing such malicious action, it needs users to allow certain permissions (access to SMS texts and notifications, screen recording, contacts, making calls, recording to external storage, and reading the device status) in the Accessibility Service window. The trojan does it by imitating the legitimate "Google Protect" tool, therefore making the process look ordinary and less likely to trigger suspicion from users. After the permissions are granted, the trojan gets complete liberty to run its malicious actions. GodFather also abuses the granted access to complicate manual removal, steal two-factor authentication codes, process different commands, and hijack data from PIN and password fields. If you want to learn more about the technical specs of GodFather banking trojan, you can check out this page. In summary, GodFather is a highly-devastating infection that can lead to significant financial losses, which is why it must be removed completely and without traces from your device. Use our guide below to do it.

How to remove Cypher RAT (Android)

Cypher is a remote administration trojan (RAT) promoted by cybercriminals to control Android devices and run a number of malicious actions on them. Once it hacks an Android device, threat actors become able to manage almost the whole device for achieving their purposes. Cypher is also a public trojan that can be purchased by anyone in form of subscription plans on the developers' website. One of the special features that cybercriminals behind Cypher get access to is the so-called clipboard hijacker. It is designed to substitute copied addresses of crypto wallets with ones owned by trojan owners. In other words, if a victim runs some cryptocurrency transaction while the trojan is on the smartphone, cybercriminals will be able to stealthily replace the copied address and receive the payment to their wallet instead. Apart from this, Cypher RAT has a plethora of other capabilities typical for such malware. For instance, it can change smartphone wallpapers, manage calls and SMSs, force-open various apps, manipulate the screen, memorize keyboard strokes, take screenshots, use a microphone to record incoming audio, analyze the device location, download additional software, read 2-factor authentication codes, imitate log-in windows, and other such functions aimed at benefiting cybercriminals in any desired way.

How to remove FlyTrap Trojan (Android)

FlyTrap is a trojan infection designed to steal Facebook accounts and use them for future abuse. An authoritative security company named Zimperium researched this malware and confirmed its activity across 100+ countries with at least 10,000 users affected by it. According to reports, many have been affected by FlyTrap via a malicious application that promotes coupons, discounts, and other similar content. Clicking on such content can lead to a fake verification window demanding login credentials for a Facebook account. After successfully retrieving the inserted data and accessing the targetted Facebook account, FlyTrap becomes able to inject malicious JavaScript code in order to collect sensitive information (e.g., IP-addresses, geolocations, e-mail addresses, internet cookies, tokens, etc.). The stolen accounts may thereafter be abused for scamming friends or spreading malware via malicious links or attachments. Thus, FlyTrap is a dangerous infection that may lead to massive security problems and compromise users' identities. Follow our guide below to get rid of the virus from your Android smartphone. After doing so, it is important to change passwords and notify your friends/contacts about the committed hacking.

How to remove Payroll Timetable e-mail virus

Payroll Timetable is a malicious e-mail campaign designed to trick users into downloading a devastating trojan called TrickBot. Developers in charge of this campaign send thousands of identical messages representing fake information about some payroll timetable. By impersonating the name of a legitimate company named PricewaterhouseCoopers and pretending to be its employees, cybercriminals encourage users to review some "irregularities" by opening the attached file. Such text is usually random to users and simply meant to raise curiosity for opening a malicious attachment in .docx, .xls, or other MS Office formats. If you ever receive a message accompanied by some attachment, chances are, this is an attempt to deliver a virus infection. The distributed TrickBot trojan is meant to record sensitive information (e.g., passwords, usernames, e-mails, etc.) and use it for stealing related accounts. The scope of cybercriminals is especially towards various finance-related applications, such as pocket banks or crypto-wallets. Unfortunately, if you trusted the Payroll Timetable e-mail message and opened the attached document, then your system is more likely infected. Use our guide below to avert the damage by running complete deletion of the infection.

How to remove S.O.V.A. Banking Trojan (Android)

S.O.V.A. is a banking trojan virus designed to extract finance-related information from Android devices. Specifically, it was spotted to do so on devices ranging from 7 to 11 Android versions. While being distributed under the disguise of ostensibly legitimate software, the sneaky trojan demands users to grant a number of device permissions. If such permissions are eventually given, the trojan will become capable of reading the device's screen and simulating fake log-in windows to bait users into entering their credentials. As mentioned, the main target of S.O.V.A. is banking information, which means it is likely the trojan will try to collect information from banking applications, cryptocurrency wallets, and other places related to finance. Due to the keylogging abilities, the trojan can record all the typed keystrokes and abuse them for stealing accounts or performing unauthorized money transactions. In addition, it was also observed that S.O.V.A. has access to managing SMS messages and displaying various pop-ups. Allowing such malware to operate for too long may indeed lead to severe privacy issues and potential loss of finance. On top of that, the S.O.V.A. banking trojan is still considered under development and is expected to acquire more features (performing DDoS attacks, operating as screen-locking ransomware, impeding 2FAs (Two-Factor Authentications), and so forth) in future updates. Thus, if you suspect your Android is under the affection of this or similar infection, follow our guidelines below to remove it and ensure further protection against such threats.

How to remove Conteban Trojan

Conteban is a remote-access trojan that, upon successful Infiltration, manipulates system features to run malicious actions on it. While the actual purpose of this virus remains unclear, malware of such tends to cause chain infections. This means that Conteban may act as a "backdoor" to bring other viruses, such as ransomware, along the way. Ransomware is a devastating malicious software that usually encrypts system stored data and blackmails victims into paying money for its return. In addition, many developers behind trojan infections also seek the extraction of valuable information (e.g. passwords, log-ins, banking credentials, etc.). This data can therefore be misused to perform fraudulent financial operations, putting users' funds and privacy at significant risk. Sometimes, however, there is software mistakenly tagged as Trojan-Win32/Conteban by various antivirus engines, including native Windows Defender. These false positives happen pretty often and may occur while launching or installing a third-party file downloaded from the web. If you suspect your system to be actually infected, or you doubt the trustworthiness of the file downloaded, we recommend you use our guide to make sure nothing threatens your PC.