GodFather Android Malware Runs Real Apps in a Sandbox to Steal Data
Cybersecurity researchers at Zimperium zLabs, led by Fernando Ortega and Vishnu Pratapagiri, have uncovered a dangerous new version of the GodFather Android malware using an advanced technique called on-device virtualization to take over legitimate mobile apps. It especially targets banking and cryptocurrency apps, effectively turning your own device into a spy.
The Virtualization Trick
Instead of just showing a fake image, the malware installs a hidden host app, which then downloads and runs a real copy of your banking or crypto app inside its own controlled space, a sandbox. When you try to open your actual app, the malware redirects you to this virtual version.
The malware then monitors and controls every action, tap, and word you type in real time, making it nearly impossible for you to notice anything wrong, since you are interacting with the real app, just in a manipulated environment. This sophisticated technique allows attackers to obtain usernames, passwords, and device PINs, obtaining complete control of your accounts.
This method gives attackers a huge advantage. They can steal sensitive data as you enter it, and even change how the app works, bypassing security checks including those that detect rooting a phone. Notably, the GodFather banking malware is built by repurposing several legitimate open-source tools, such as VirtualApp and XposedBridge, to execute its deceptive attacks and evade detection.
Global Targets and Evasive Manoeuvres
While GodFather employs its advanced virtualization, it also continues to use traditional overlay attacks, placing deceptive screens directly over legitimate applications. This dual approach shows the threat actors’ remarkable ability to adapt their methods.
According to the company’s blog post, the GodFather Android malware campaign is widespread, targeting 484 applications globally, though the highly advanced virtualization attack currently focuses on 12 specific Turkish financial institutions. This broad reach includes not just banking and cryptocurrency platforms, but also major global services for payments, e-commerce, social media, and communication.
The malware also uses clever tricks to avoid being found by security tools. It changes the way APK files (Android app packages) are put together, tampering with their structure to make them look encrypted or adding misleading information like $JADXBLOCK. It also moves much of its harmful code to the Java part of the app and makes its Android manifest file harder to read with irrelevant information.
Further probing revealed that GodFather still uses Android’s accessibility services (designed to help users with disabilities) to trick users into installing hidden parts of its application. It uses deceptive messages like “You need permission to use all the features of the application,” and once it gains accessibility permissions, it can secretly grant itself more permissions without user knowledge.
Also, the malware hides its important information, like where it connects to its control server (C2), in encoded form, making it harder to track. Once active, it sends details of your screen to the attackers, giving them a real-time view of your device. This discovery, hence, highlights the ongoing challenge in mobile security as threats become more complex and harder to spot.
“This is definitely a novel technique and I can see its potential,“ said Casey Ellis, Founder at Bugcrowd. “It will be interesting to see how effectively it actually is in the wild, whether or not the threat actors decide to deploy it outside of Turkiye, and if other threat actors attempt to replicate a similar approach.“
