A new version of the Android malware “Godfather” creates isolated virtual environments on mobile devices to steal account data and transactions from legitimate banking apps.
These malicious apps are executed inside a controlled virtual environment on the device, enabling real-time spying, credential theft, and transaction manipulation while maintaining perfect visual deception.
The tactic resembles that seen in the FjordPhantom Android malware in late 2023, which also used virtualization to execute SEA bank apps inside containers to evade detection.
However, Godfather’s targeting scope is much broader, targeting over 500 banking, cryptocurrency, and e-commerce apps worldwide using a full virtual filesystem, virtual Process ID, intent spoofing, and StubActivity.
According to Zimperium, which analyzed it, the level of deception is very high. The user sees the real app UI, and the Android protections miss the malicious operation aspect, as only the host app’s activities are declared in the manifest.
Virtualized data theft
Godfather comes in the form of an APK app containing an embedded virtualization framework, leveraging open-source tools such as the VirtualApp engine and Xposed for hooking.
Once active on the device, it checks for installed target apps, and if found, it places it inside its virtual environment and uses a StubActivity to launch it inside the host container.
A StubActivity is a placeholder activity declared in the app running the virtualization engine (the malware) that acts as a shell or proxy for launching and running activities from virtualized apps.
It doesn’t contain its own UI or logic and, instead, delegates behavior to the host app, tricking Android into thinking that a legitimate app is being run while actually intercepting and controlling it.
Source: Zimperium
When the victim launches the real banking app, Godfather’s accessibility service permission intercepts the ‘Intent’ and redirects it to a StubActivity inside the host app, which initiates the virtual version of the banking app inside the container.
The user sees the real app interface, but all sensitive data involved in their interactions can be easily hijacked.
By using Xposed for API hooking, Godfather can record account credentials, passwords, PINs, touch events, and capture responses from the banking backend.
Source: Zimperium
The malware displays a fake lock screen overlay at key moments to trick the victim into entering their PIN/passwords.
Once it has collected and exfiltrated all that data, it awaits commands from the operators to unlock the device, perform UI navigation, open apps, and trigger payments/transfers from inside the real banking app.
During this, the user sees a fake “update” screen or a black screen so as not to raise their suspicion.
Evolving threat
Godfather first appeared in the Android malware space in March 2021, as discovered by ThreatFabric, and followed an impressive evolutionary trajectory since then.
The latest Godfather version constitutes a significant evolution to the last sample analyzed by Group-IB in December 2022, which targeted 400 apps and 16 countries using HTML login screen overlays on top of baking and crypto exchange apps.
Although the campaign Zimperium spotted only targets a dozen Turkish bank apps, other Godfather operators may opt to activate other subsets of the 500 targeted apps to attack different regions.
To protect yourself from this malware, only download apps from Google Play or APKs from publishers you trust, ensure that Play Protect is active, and pay attention to the requested permissions.
Patching used to mean complex scripts, long hours, and endless fire drills. Not anymore.
In this new guide, Tines breaks down how modern IT orgs are leveling up with automation. Patch faster, reduce overhead, and focus on strategic work — no complex scripts required.
Source link
-
-
-
-
-
-
-
-
