Zimperium zLabs have uncovered a sophisticated evolution of the GodFather banking malware that leverages an advanced on-device virtualisation technique to hijack several legitimate applications, with a focus on mobile banking and cryptocurrency applications. This method marks a significant leap in mobile threat capabilities, moving beyond traditional overlays to a more deceptive and effective form of attack.
The core of this novel technique is the malware’s ability to create a complete, isolated virtual environment on the victim’s device. Instead of simply mimicking a login screen, the malware installs a malicious ‘host’ application that contains a virtualisation framework. This host then downloads and runs a copy of the actual targeted banking or cryptocurrency app within its controlled sandbox. When a user launches their app, they are seamlessly redirected to this virtualised instance, where every action, tap and data entry is monitored and controlled by the malware at runtime.
This virtualisation technique provides attackers with several critical advantages over previously seen malware. By running the legitimate app inside a controlled environment, attackers gain total visibility into the application’s processes, allowing them to intercept credentials and sensitive data in real-time. The malware can be controlled remotely and also use hooking frameworks to modify the behaviour of the virtualised app, effectively bypassing security checks such as root detection. In addition to this core technique, GodFather has evolved its evasive manoeuvres, employing ZIP manipulation and shifting code to the Java layer to defeat static analysis tools. Crucially, because the user is interacting with the real, unaltered application, the attack achieves perfect deception, making it nearly impossible to detect through visual inspection and neutralising user vigilance.
The impact of this attack vector is severe. While this GodFather campaign casts a wide net, targeting nearly 500 applications globally, our analysis reveals that this highly sophisticated virtualisation attack is currently focused on a dozen Turkish financial institutions. This discovery represents a significant leap in capability beyond previously documented research like FjordPhantom and the most recent publicly available analysis reported by Cyble in November 2024. The malware grants attackers the ability to steal a wide range of login credentials, from usernames and passwords to device PINs, ultimately leading to a full account takeover. Ultimately, this virtualisation technique erodes the fundamental trust between a user and their mobile applications, rendering the device itself an untrusted environment where even legitimate apps can be turned into tools for espionage and theft.
