Red Hot Cyber
Cybersecurity is about sharing.
Recognize the risk, combat it, share your experiences,
and encourage others to do better than you.
Redazione RHC : 22 June 2025 18:44
A new version of Android malware Godfather has been discovered that creates isolated virtual environments on mobile devices to steal data from banking applications.
Recall that Godfather was first discovered in March 2021 by researchers at ThreatFabric. Since then, the banking malware has undergone significant changes and is very different from the last sample studied by Group-IB in December 2022. At that time, the malware had attacked 400 cryptocurrency and banking applications in 16 countries using HTML overlays.
As specialists from Zimperium, who have discovered a new version of the malware, now explain, the malware runs on the device in a controlled virtual environment, which allows it to spy in real time, steal credentials and manipulate transactions, while maintaining reliable camouflage.
This tactic was first spotted in late 2023 in the Android malware FjordPhantom, whichalso leveraged virtualization to run banking applications inside containers to avoid detection.
However, while FjordPhantom only targeted users in Southeast Asia, Godfather’s attack scope is much broader, targeting over 500 banking, cryptocurrency, and e-commerce applications worldwide. Godfather attacks use a virtual file system, a virtual process ID, Intent spoofing, and StubActivity technology.
As a result, experts say, the user only sees the application’s real interface and Android security tools do not detect malicious activity, because only the host application’s actions are declared in the manifest. Godfather is distributed as an APK file that contains an integrated virtualization framework. The malware uses open source tools such as VirtualApp and Xposed to intercept calls.
Once activated on the victim’s device, the malware checks for installed target applications and, if found, injects them into its virtual environment and uses StubActivity to run inside the host container.
StubActivity is essentially a fake Activity embedded in a malicious APK with a virtualization engine. It has no user interface or logic of its own: it just acts as a proxy, creating a container and launching real Activities from target applications (e.g. banking) inside a virtual environment. In this way, Godfather tricks Android into believing that a legitimate application is being launched, when in reality it is the malware that is intercepting and controlling it.
When the user launches the real banking application, Godfather, which has previously been granted permission to use the Banking Service, Accessibility, intercepts the Intent and forwards it to the StubActivity inside the host application. As a result, a virtualized copy of the banking application is launched inside the container.
As a result, the user sees the real interface of the application, but all the sensitive data associated with it can be easily intercepted. The aforementioned Xposed is used for API hooking and Godfather gets the ability tosave credentials, passwords, PINs, track touches and receive responses from the banking backend.
Also, in moments key, the malwaredisplays a fake overlay to trick the victim into entering a PIN or password. After collecting and transmitting all the data to its operators, Godfather awaits further commands from the hackers to unlock the device, perform certain operations with the user interface, open the application, and make a payment/transfer from the real banking application.
Additionally, the user sees a fake “update” screen or a black screen at this time, so that any suspicious activity does not attract their attention. While the campaign discovered by Zimperium only targeted a few Turkish banking apps, researchers warn that other Godfather operators may select other subsets of the 500 targeted apps to attack in other regions.
Redazione