A new version of Android “Godfather” malware creates insulated virtual environments on mobile devices to steal account data and transactions from legitimate banking applications.
These malicious applications are executed in a virtual environment controlled on the device, allowing real -time spying, identification flight and transactions handling while maintaining perfect visual deception.
Tactics resemble that observed in Android Fjordphantom malware at the end of 2023, which also used virtualization to execute marine bank applications inside the containers to escape detection.
However, the targeting range of Godfather is much wider, targeting more than 500 banking, cryptocurrency and electronic commerce applications in the world using a complete virtual file system, virtual process identifier, intention and display.
According to in ZimperiumWho analyzed it, the level of deception is very high. The user sees the user interface of the real application, and Android protections are missing the malicious operation aspect, because only the activities of the host application are declared in the manifesto.
Virtualized data flight
Godfather comes in the form of an APK application containing an integrated virtualization framework, taking advantage of open-source tools such as the Virtualapp and Xposed engine for hanging.
Once active on the device, it checks the target applications installed, and if it is found, it places it in its virtual environment and uses a factory to launch it inside the host container.
An obstacle is a reserved space activity declared in the application running the virtualization engine (malware) which acts as a shell or a proxy for the launch and execution of activities from virtualized applications.
It does not contain its own user interface or logic and, instead, delegates behavior to host application, encouraging Android to think that a legitimate application is executed while intercepting and controlling it.
Source: Zimperium
When the victim launches the real banking application, the authorization of the accessibility service of Godfather intercepts intention and redirects it to an obedition within the host application, which initiates the virtual version of the banking application inside the container.
The user sees the interface of the actual application, but all the sensitive data involved in their interactions can be easily diverted.
Using Xposed for the API hook, the sponsor can record identification information, passwords, pins, tactile events and capture the responses of the banking backend.
Source: Zimperium
Malware has a false lock screen superposition at key moments to encourage the victim to enter their spit / password.
Once he has collected and exfiltrated all this data, he awaits operators’ orders to unlock the device, carry out user interface navigation, open applications and trigger payments / transfers inside the actual banking application.
During this, the user sees a false “update” screen or a black screen so as not to lift their suspicion.
Evolving threat
The godfather appeared for the first time in the Android malware space in March 2021, as Threatfabric discovered, and has followed an impressive evolutionary trajectory since then.
The latest version of sponsor constitutes a significant evolution of the last sample analyzed by the group-IB in December 2022, which targeted 400 applications and 16 countries using HTML connection screen superimpositions in addition to the Crypto cooking and exchange applications.
Although the campaign that Zimerium has rejected targets only a dozen Turkish banking applications, other sponsor operators can choose to activate other sub-assemblies of the 500 targeted applications to attack different regions.
To protect yourself from this malicious software, download only Google Play apps or APKs from publishers you trust, make sure that Play Protect is active and pay attention to the requested authorizations.
