Cybersecurity researchers at Zimperium zLabs, under the guidance of Fernando Ortega and Vishnu Pratapagiri, have made a significant discovery in the realm of mobile security. They have identified a new variant of the GodFather Android malware that employs an innovative technique known as on-device virtualization, enabling it to hijack legitimate mobile applications. This sophisticated malware primarily targets banking and cryptocurrency applications, effectively transforming users’ devices into unwitting spies.
The Virtualization Trick
Rather than merely presenting a counterfeit interface, this malware installs a concealed host application that subsequently downloads and executes a genuine version of the targeted banking or cryptocurrency app within a controlled environment, or sandbox. When users attempt to access their actual applications, they are redirected to this manipulated virtual version.
In this deceptive setup, the malware meticulously monitors and governs every action, tap, and keystroke in real time. This makes it exceedingly difficult for users to detect any anomalies, as they are interacting with what appears to be the authentic app, albeit in a compromised setting. This advanced technique enables attackers to capture usernames, passwords, and device PINs, granting them comprehensive control over users’ accounts.
The implications of this method are profound. Attackers can siphon sensitive information as it is entered and even alter the app’s functionality, circumventing security measures that typically flag rooted devices. Notably, the GodFather malware leverages several legitimate open-source tools, such as VirtualApp and XposedBridge, to orchestrate its deceptive maneuvers and elude detection.
Global Targets and Evasive Manoeuvres
While GodFather capitalizes on its advanced virtualization capabilities, it also employs traditional overlay attacks, which involve placing misleading screens directly atop legitimate applications. This dual strategy underscores the adaptability of the threat actors involved.
According to Zimperium’s blog, the GodFather Android malware campaign has a far-reaching impact, targeting 484 applications worldwide. However, the sophisticated virtualization attack currently zeroes in on 12 specific financial institutions in Turkey. This extensive targeting encompasses not only banking and cryptocurrency platforms but also major global services related to payments, e-commerce, social media, and communication.
The malware further enhances its stealth by employing clever tactics to evade detection by security tools. It alters the assembly of APK files (Android application packages), manipulating their structure to appear encrypted or embedding misleading information such as $JADXBLOCK. Additionally, it relocates much of its malicious code to the Java segment of the app and obfuscates its Android manifest file with irrelevant data.
Further investigation revealed that GodFather still utilizes Android’s accessibility services—originally designed to assist users with disabilities—to deceive users into installing hidden components of its application. It employs misleading prompts like “You need permission to use all the features of the application,” and once it acquires accessibility permissions, it can secretly grant itself additional permissions without the user’s awareness.
Moreover, the malware conceals critical information, such as its connection details to the command and control server (C2), in encoded formats, complicating tracking efforts. Once activated, it transmits screen details back to the attackers, providing them with a real-time view of the compromised device. This revelation underscores the ongoing challenges in mobile security as threats evolve in complexity and become increasingly difficult to detect.
“This is definitely a novel technique and I can see its potential,” remarked Casey Ellis, Founder at Bugcrowd. “It will be interesting to see how effectively it actually is in the wild, whether or not the threat actors decide to deploy it outside of Turkey, and if other threat actors attempt to replicate a similar approach.”
