- Zimperium discovers new version of godfather among Turkish Android users
- New version creates virtualized versions of legitimate bank apps in a sandbox
- It can exfilter login -legitimation information, pin codes and unlock patterns
The notorious godfather malware for Android phones is back with a revenge, experts have warned and targeted victims with an upgraded building that makes it more dangerous than ever.
CyberSecurity scientists Zimperium claim to have seen an updated version of the notorious malware in nature, and this one is even more dangerous as it simplifies things while avoiding detection even better.
Godfather is a bank Trojan used to steal money out of people’s bank accounts. Previously variants worked as an overlay – location of an invisible layer on top of legitimate bank apps. Therefore, when the victims bring up their apps and start entering their login credentials, these would be picked up by the overlay and sent to attackers who would later log in to the app and make cash withdrawals.
Virtualization attack
However, the new version ditches the overlay approach to something even more creepy – to create a virtualized version of the app.
On the compromised devices, malware launched a virtual occurrence of the bank app inside a sandbox. In this way, malware doesn’t even have to ask for excessive permissions to carry out wire fraud, and means victims may not even trust the legitimate apps they have installed.
When the victim gets infected, Malware first analyzes the installed apps and looks for a banking company that fits.
If it finds one, it creates a virtualized version that is launched when the victim tries to get the legitimate up.
In addition to stealing login credentials, Godfather Exfiltrat-Pin codes and unlock patterns and can externally control the device during off-time (for example, in the middle of the night), making wiring transfers while the victim is asleep.
Zimperium says it has so far only observed godfather among Turkish Android users, but it warned that malware operators can turn towards the West at any time, so bank users should be on their guard everywhere.
Via Infosecurity
