A new version of the Android malware “Godfather” now creates isolated virtual environments on mobile devices to steal account data. These malicious apps are executed inside a controlled virtual environment on the device, enabling real-time spying and transaction manipulation. This specific tactic resembles that seen in the FjordPhantom Android malware, which also used virtualization to execute SEA bank apps. However, Godfather’s targeting scope is much broader, aiming at over 500 banking, cryptocurrency, and e-commerce applications around the world. The level of deception is very high, as the user sees the real app interface while their actions are being monitored.
The Godfather malware comes in the form of an APK app containing an embedded on-device virtualization framework for its malicious operations.
It cleverly leverages various open-source tools such as the VirtualApp engine and also the Xposed framework for its API hooking capabilities. Once it becomes active on the device, it checks for installed target apps and places them inside its own virtual environment. It then uses a StubActivity to launch the banking app inside the host container, which effectively tricks the Android operating system. When the victim launches the real banking app, Godfather’s accessibility service intercepts the ‘Intent’ and then redirects it to this StubActivity.
The unsuspecting user sees the real application interface, but all sensitive data involved in their various interactions can be easily hijacked. By using the Xposed framework for extensive API hooking, Godfather can successfully record account credentials, various passwords, PINs, and also touch events. It can also capture all of the important responses from the legitimate banking backend server to facilitate its fraudulent transaction activities. The malware displays a fake lock screen overlay at key moments to trick the victim into entering their personal PINs or passwords.
It then awaits commands from its operators to perform UI navigation and trigger payments from inside the real banking app.
Godfather first appeared in the Android malware space back in March 2021, as was discovered by the security firm ThreatFabric. The latest Godfather version constitutes a significant evolution from the last sample that was analyzed by Group-IB in December 2022. That older version had targeted 400 apps across 16 different countries using simple HTML login screen overlays on top of apps. Although the new campaign Zimperium spotted only targets a dozen Turkish bank apps, other operators may opt to activate other subsets. To protect yourself from this sophisticated malware, only download apps from Google Play or from publishers you absolutely trust and always check permissions.