Zimperium zLabs has uncovered a sophisticated evolution of the GodFather banking malware that leverages an advanced on-device virtualization technique to hijack several legitimate applications, with a focus on mobile banking and cryptocurrency applications. This method marks a significant leap in mobile threat capabilities, moving beyond traditional overlays to a more deceptive and effective form of attack.
The core of this novel technique is the malware’s ability to create a complete, isolated virtual environment on the victim’s device. Instead of simply mimicking a login screen, the malware installs a malicious “host” application that contains a virtualization framework. This host then downloads and runs a copy of the actual targeted banking or cryptocurrency app within its controlled sandbox. When a user launches their app, they are seamlessly redirected to this virtualized instance, where every action, tap, and data entry is monitored and controlled by the malware at runtime.
This virtualization technique provides attackers with several critical advantages over previously seen malware. By running the legitimate app inside a controlled environment, attackers gain total visibility into the application’s processes, allowing them to intercept credentials and sensitive data in real-time. The malware can be controlled remotely and also use hooking frameworks to modify the behavior of the virtualized app, effectively bypassing security checks such as root detection. In addition to this core technique, GodFather has evolved its evasive maneuvers, employing ZIP manipulation and shifting code to the Java layer to defeat static analysis tools. Crucially, because the user is interacting with the real, unaltered application, the attack achieves perfect deception, making it nearly impossible to detect through visual inspection and neutralizing user vigilance.
The impact of this attack vector is severe. While this GodFather campaign casts a wide net, targeting nearly 500 applications globally, our analysis reveals that this highly sophisticated virtualization attack is currently focused on a dozen Turkish financial institutions. This discovery represents a significant leap in capability beyond previously documented research like “FjordPhantom” and the most recent publicly available analysis reported by Cyble in November 2024. The malware grants attackers the ability to steal a wide range of login credentials, from usernames and passwords to device PINs, ultimately leading to a full account takeover. Ultimately, this virtualization technique erodes the fundamental trust between a user and their mobile applications, rendering the device itself an untrusted environment where even legitimate apps can be turned into tools for espionage and theft.
Read the full analysis at Zimperium
