Advanced Virtualization Techniques Employed by Godfather Android Malware to Compromise Banking Applications

A new variant of the Android malware known as “Godfather” has emerged, employing virtualization technology to create isolated environments on mobile devices. This sophisticated approach allows it to capture account information and conduct fraudulent transactions through legitimate banking applications.

The malware operates by executing malicious apps within a controlled virtual space on the device, enabling real-time surveillance, credential theft, and transaction manipulation while effectively masquerading as genuine software. This method mirrors techniques previously observed in the FjordPhantom malware, which employed virtualization for similar purposes in late 2023, specifically targeting banking applications to evade detection.

However, Godfather’s scope of attack is significantly wider, encompassing over 500 applications related to banking, cryptocurrency, and e-commerce globally. The malware utilizes a comprehensive virtual filesystem, virtual Process ID, intent spoofing, and a StubActivity mechanism to facilitate its operations undetected.

According to analytic insights from cybersecurity firm Zimperium, the deception achieved by Godfather is considerable. Users perceive the genuine user interface of their applications, while Android security mechanisms fail to identify the underlying malicious activities due to the nature of the host app’s data presentation in the manifest.

Virtualized Data Theft

Godfather is distributed as an APK file that includes an integrated virtualization framework, making use of open-source resources like the VirtualApp engine and Xposed for application hooking.

Upon installation, the malware scans for targeted applications, and upon detection, it encapsulates them in its virtual environment, deploying a StubActivity to initiate execution within the host container. A StubActivity functions as a placeholder; it lacks its own interface or logic but directs actions to the host app, misleading Android into believing a legitimate application is being executed while actual control lies with the malware.

When users access their legitimate banking apps, Godfather’s accessibility service intercepts their “Intent” commands, rerouting them to a StubActivity in the host application, which activates the virtual variant of the banking app. The interface remains genuine from the user’s perspective, yet sensitive data exchanged during interactions can be readily compromised.

Utilizing the Xposed framework for API interception, Godfather is capable of recording sensitive credentials, passwords, PINs, touch events, and acquiring responses from banking systems. Furthermore, the malware can display a deceptive lock screen overlay at critical moments to trick users into submitting their PINs or passwords.

Upon successfully gathering data, Godfather remains poised for further commands from its operators, enabling them to unlock the device, navigate the user interface, launch applications, and execute payments or fund transfers while concealing these actions from the user via fake update screens or black displays.

Evolving Threat

Initially detected in March 2021 by ThreatFabric, Godfather has undergone significant evolution and sophistication. The latest iteration represents a marked advancement compared to its previous forms, which targeted around 400 applications and conducted operations across 16 countries using deceptive HTML login overlays for banking and cryptocurrency exchanges.

Although current operations identified by Zimperium focus on several Turkish bank applications, it is important to note that other operators of Godfather could potentially activate a broader range of the 500 applications targeted to launch attacks in various regions.

To safeguard against this malware, users are advised to download applications solely from Google Play or trusted publishers, ensure Play Protect functionality is active, and remain vigilant regarding permissions requested by apps.