A new version of the Android malware Godfather creates isolated virtual environments on mobile devices to steal account details and transactions from legitimate banking apps.
These malicious applications operate within a meticulously controlled virtual environment on the device, enabling real-time surveillance, theft of login credentials, and manipulation of transactions, all while maintaining the appearance of authenticity.
As reported by BleepingComputer, this approach mirrors the tactics employed by the FjordPhantom Android malware that emerged in late 2023, which also utilized virtualization to run SEA banking apps within containers to evade detection.
However, Godfather’s reach is significantly broader, targeting over 500 banking, cryptocurrency, and e-commerce applications globally. It employs a sophisticated arsenal, including a fully virtual file system, virtual process IDs, intent spoofing, and a component known as StubActivity.
Insights from Zimperium, which conducted an analysis of the malware, reveal a remarkably high level of deception. Users are presented with the genuine user interface of their apps, while Android security remains oblivious to the malicious activities occurring behind the scenes. This is primarily because only the actions of the host application are declared in the manifest.
Virtual data theft
Godfather manifests itself as an APK app embedded with a virtualization framework. It harnesses open-source tools like the VirtualApp engine and Xposed for hooking into the system.
Once activated, the malware scans for targeted applications. Upon detection, it encapsulates them within its virtual environment and utilizes a StubActivity to launch them within the host container.
A StubActivity serves as a placeholder activity declared in the app that operates the virtualization engine (the malware). It functions as a wrapper or proxy, facilitating the launch and execution of activities from the virtualized apps.
This StubActivity lacks its own user interface or logic, instead transferring behavior to the host app. Consequently, Android perceives it as a legitimate application in operation, while in reality, it is being intercepted and manipulated.
Godfather intercepts permissions
When a victim accesses their authentic banking application, Godfather intercepts permissions for accessibility services, redirecting them to a StubActivity within the host app that initiates the virtual version of the banking app.
The user is presented with the genuine app interface; however, any sensitive information entered during these interactions is at risk of interception.
Utilizing Xposed for API hooking, Godfather is capable of recording account details, passwords, and PIN codes, while also capturing responses from the bank’s backend systems.
Malware displays fake lock screen
The malware employs a deceptive fake lock screen overlay at critical moments, coaxing the victim into entering their PIN or password. Once all pertinent data has been harvested, it lies in wait for commands from its operators to unlock the device, manipulate user interfaces, open applications, and execute payments or transfers within the legitimate banking app.
Throughout this process, the user may encounter a counterfeit update screen or a black screen, strategically designed to minimize suspicion.
Evolving threat
Godfather first emerged in the Android malware landscape in March 2021, and since then, it has demonstrated remarkable evolutionary advancements.
The latest iteration of Godfather signifies a substantial evolution from the previous sample analyzed by Group-IB in December 2022, which targeted 400 applications across 16 countries with HTML login screen overlays atop banking and cryptocurrency apps.
While the campaign identified by Zimperium currently focuses on a limited number of Turkish banking apps, it is important to note that other Godfather operators may activate additional subsets of the 500 targeted applications, potentially launching attacks in other regions.
