- Experts warn of malware running real apps in fake virtual environments
- Godfather bypassing security checks and overlays fake screens to steal credentials
- Target Bank and Krypto -Apps globally with almost invisible techniques
Zimperium Zlabs has revealed a new version of The Godfather Malware that uses virtualization on device to hijack to hijack real bank and cryptocurrency apps.
Unlike older attacks showing fake login screens, this malware launches the actual apps in a virtual space where attackers can see everything the user does.
The attack begins with a host’s app that includes a virtualization tool -this host’s app downloads the targeted bank or crypto app and runs it in a private environment.
Moving beyond simple overlays
When users open their app, they are relocated unconsciously to the virtual version. From there, each print, login and pin is traced in real time.
Because the user interacts with a real app, it’s almost impossible to spot the attack by looking at the screen.
Godfather also uses ZIP tricks and hides much of its code in a way that defeats static analysis. It requests accessibility permits and then silently gives more access, making the attack smooth and difficult to detect.
“Mobile attackers move beyond simple overlays; virtualization gives them unlimited, live access inside trusted apps,” said Fernando Ortega, senior security researcher, Zimperium Zlabs.
“Businesses need on device, behavior-based detection and RUNTIME app protection to stay ahead of this shift against a mobile-first attack strategy.”
Zimperium’s analysis shows that this version of Godfather is focused on Turkish banks, but the campaign is targeting nearly 500 apps globally. These include financial services, cryptocurrency platforms, e-commerce and messaging apps.
Malware checks for specific apps on the device, clones them into the virtual space and uses the cloned version to collect data and track user behavior.
It can also steal the device lock screen information using fake overlays similar to system prints.
Attackers can control the infected phone remotely using a set of commands. These can perform swipes, open apps, change brightness and simulate user actions.
How to remain safe
- Avoid installing apps from unknown sources – Always use official stores like Google Play.
- Check app permits carefully. If an app asks for accessibility access or screen overlaying permits for no clear reason, uninstall it immediately.
- Keep your phone’s operating system up to date.
- Use mobile security tools from trusted developers.
- Avoid sideloading APK files, even if they are shared by someone you know.
- Restarting your phone regularly can help avert any lasting malware.
- Be aware of unusual behavior, such as faster than usual battery drains and strange, unexpected overlays.
- If your bank app ever looks different or asks for login more often than usual, stop using it and contact your bank.
