GodFather banking malware creates virtual environment on victim devices

A sophisticated evolution of the GodFather banking malware was observed targeting 12 Turkish banks and scanning nearly 500 apps globally, including cryptocurrency wallets and financial platforms.

The real danger here: the malware leverages an advanced on-device “Virtualization-as-a-Weapon” technique that hijacks several legitimate apps with an eye towards taking full control of a mobile device.

In a June 18 blog, Zimperium researchers said the GodFather malware can now create a complete, isolated virtual environment on a victim’s mobile device.

Instead of mimicking a login screen, the malware installs a malicious “host” that contains a virtualized framework, explain the researchers. The host then downloads and runs a copy of the actual targeted banking or cryptocurrency app within a hidden sandbox, a technique that delivers full control and surveillance – without ever installing the apps on the system.

“The sophisticated advancement of the GodFather banking malware, using advanced on-device virtualization, signifies a significant breach of trust between users and their mobile applications,” said Eric Schwake, director of cybersecurity strategy at Salt Security. “This cunning method enables the malware to fully control legitimate apps, effortlessly capturing credentials and sensitive information during runtime while hooking internal APIs to alter app behavior and circumvent security measures.”

Schwake explained that the upgraded GodFather malware presents security teams with a serious threat beyond standard mobile overlays because it directly undermines the integrity of financial and cryptocurrency transactions at the user's device level. He said it highlights the pressing need for a robust security strategy that protects backend APIs and addresses sophisticated client-side breaches that aim to steal API-enabling credentials and manipulate API-driven interactions from the user’s device's point of origin.

Casey Ellis, founder at Bugcrowd, added that this Zimperium research does reveal a novel technique.

“It will be interesting to see how effective it actually is in the wild, whether or not the threat actors decide to deploy it outside of Turkey, and if other threat actors attempt to replicate a similar approach,” said Ellis.

Nic Adams, co-founder and CEO at 0rcus, said mobile malware threats are mirroring the sophistication seen in advanced persistent threats (APTs) targeting traditional endpoints. Manipulation of accessibility services and mimicry of trusted apps are leading indicators," said Adams.

“Attackers now go far beyond simple malware to abuse intended operating system functionalities for malicious purposes, which makes them harder to distinguish from legitimate user activity,” said Adams. “The ability to grant permissions covertly or to trick users into granting them demonstrates a deep understanding of user psychology and Android's permission model. Finally, abuse accessibility services allows for persistent control, keylogging, screen reading, bypassing user interaction for further malicious actions, all while remaining highly stealthy.”