In a significant advancement in mobile malware tactics, Zimperium zLabs has identified a new version of the GodFather Android trojan. This sophisticated malware employs on-device virtualization to hijack legitimate banking and cryptocurrency applications, posing a serious threat to user security. Unlike traditional methods that rely on fake overlays, GodFather creates a sandbox environment on the victim’s device, allowing it to run actual applications while intercepting user input in real time. This innovative approach facilitates complete account takeovers and circumvents established security measures, with the current campaign primarily targeting Turkish banks.
The latest samples of the GodFather malware utilize ZIP manipulation and obfuscation techniques to evade static analysis. By altering the APK ZIP structure and the Android Manifest, attackers introduce misleading flags and fields, such as “$JADXBLOCK,” to confuse detection tools. The malware conceals its payload within the assets folder and employs session-based installation methods to bypass restrictions. It takes advantage of accessibility services to monitor user input, automatically grant permissions, and exfiltrate data to a command-and-control (C2) server using Base64-encoded URLs.
The GodFather trojan leverages legitimate open-source tools, including Virtualapp and Xposed, to execute overlay attacks. It operates by virtualizing applications within a host container rather than directly on the Android operating system. This setup allows the malware to hook into application programming interfaces (APIs), steal sensitive data, and remain undetected, ensuring its malicious activities continue in a controlled environment.
To initiate its attack, GodFather scans the victim’s device for specific banking applications. Upon detection, it downloads and installs Google Play components into a concealed virtual space under its control. Subsequently, it establishes a deceptive environment where it can secretly execute these genuine banking applications. Key data from the legitimate apps, such as package names and security details, are copied into specially crafted files, enabling the malware to launch authentic banking apps within its sandbox while preserving user sessions.
When a user attempts to access their legitimate banking application, GodFather intercepts the request and redirects them to a counterfeit version operating within its virtual space. By utilizing Android’s accessibility services and its own proxy tools, the malware seamlessly mimics the appearance and functionality of the authentic app. As a result, users remain unaware that their every interaction, including taps and logins, is being recorded.
“This virtualization technique provides attackers with several critical advantages over previously seen malware. By running the legitimate app inside a controlled environment, attackers gain total visibility into the application’s processes, allowing them to intercept credentials and sensitive data in real-time,” states the report from Zimperium. “The malware can be controlled remotely and also use hooking frameworks to modify the behavior of the virtualized app, effectively bypassing security checks such as root detection.” The report emphasizes that because users engage with the real, unaltered application, the attack achieves a level of deception that makes detection through visual inspection nearly impossible.
The GodFather malware employs advanced hooking techniques tailored to specific banking applications, utilizing the Xposed framework to intercept network connections, particularly through the OkHttpClient library, commonly used by banking apps. It injects malicious interceptors to capture sensitive information, including login credentials.
Moreover, the malware conceals itself from detection by hooking into Android’s getEnabledAccessibilityServiceList API, causing it to return an empty list and appear invisible to security measures. Alarmingly, GodFather can also compromise lock screen credentials by displaying fake overlays that mimic genuine lock screens, tricking users into entering their PINs, passwords, or patterns. This capability places the entire device at risk.
The malware supports an extensive array of commands that empower attackers to simulate gestures, manipulate screen elements, open applications or settings, control brightness, and even capture lock screen credentials through deceptive overlays. By combining advanced virtualization techniques with traditional overlay methods, GodFather targets a broad spectrum of over 484 popular applications, including:
- Banking and financial applications across the U.S., Europe, and Turkey
- Cryptocurrency wallets and exchanges
- E-commerce, ride-sharing, food delivery, and streaming applications
- Social media and messaging platforms
The modular command system of the malware enables it to execute precise, stealthy actions such as launching counterfeit applications, executing gestures, faking updates, controlling screen content, and stealing sensitive data—all while remaining hidden from both users and security tools.
“While this GodFather campaign casts a wide net, targeting nearly 500 applications globally, our analysis reveals that this highly sophisticated virtualization attack is currently focused on a dozen Turkish financial institutions,” concludes the report. “This discovery represents a significant leap in capability beyond previously documented research like ‘FjordPhantom’ and the most recent publicly available analysis reported by Cyble in November 2024.”
