A new iteration of the Android malware known as “Godfather” has emerged, showcasing advanced techniques to create isolated virtual environments on mobile devices. This sophisticated approach enables the malware to stealthily steal account data and manipulate transactions from legitimate banking applications.
Executed within a controlled virtual environment, these malicious apps engage in real-time spying and credential theft while maintaining an impeccable visual facade. This tactic bears resemblance to the FjordPhantom Android malware that surfaced in late 2023, which also utilized virtualization to run banking apps in containers, effectively evading detection.
However, Godfather’s reach is significantly broader, targeting over 500 banking, cryptocurrency, and e-commerce applications globally. It employs a comprehensive virtual filesystem, virtual Process ID, intent spoofing, and a component known as StubActivity to enhance its effectiveness.
According to an analysis by Zimperium, the level of deception employed by Godfather is alarmingly high. Users are presented with the authentic app interface, while Android’s security mechanisms overlook the malicious operations, as only the activities of the host app are declared in the manifest.
Virtualized data theft
The Godfather malware is delivered as an APK app that includes an embedded virtualization framework, utilizing open-source tools such as the VirtualApp engine and Xposed for hooking functionalities. Upon activation, it scans for installed target applications. If any are detected, it places them within its virtual environment and employs a StubActivity to launch them from within the host container.
A StubActivity serves as a placeholder within the malware’s virtualization engine, acting as a shell or proxy for executing activities from the virtualized apps. It lacks its own user interface or logic, instead delegating actions to the host app, thereby deceiving Android into believing that a legitimate application is being executed while it actually intercepts and controls the interaction.
Source: Zimperium
When a victim opens their genuine banking app, Godfather’s accessibility service permission intercepts the ‘Intent’ and redirects it to a StubActivity within the host app, which then initiates the virtual version of the banking application inside the container. Users see the authentic app interface, but all sensitive data exchanged during their interactions can be easily compromised.
Utilizing Xposed for API hooking, Godfather is capable of recording account credentials, passwords, PINs, touch events, and capturing responses from the banking backend. The malware also employs a deceptive lock screen overlay at critical moments, tricking victims into entering their sensitive information.
Once the malware has successfully gathered and exfiltrated the data, it remains poised for commands from its operators to unlock the device, navigate the user interface, open applications, and initiate payments or transfers from within the authentic banking app. During these operations, users may be presented with a fake “update” screen or a black screen to avoid raising suspicion.
Evolving threat
Godfather first made its presence known in the Android malware landscape in March 2021, as identified by ThreatFabric, and has since undergone a remarkable evolution. The latest version represents a significant advancement from the previous sample analyzed by Group-IB in December 2022, which targeted 400 applications across 16 countries using HTML login screen overlays on banking and cryptocurrency exchange apps.
While the campaign identified by Zimperium currently focuses on a limited number of Turkish banking applications, it is plausible that other operators of Godfather may activate additional subsets of the 500 targeted applications to launch attacks in various regions.
To safeguard against this malware, users are advised to download applications exclusively from Google Play or trusted publishers, ensure that Play Protect is activated, and remain vigilant regarding the permissions requested by apps.
