A brand new model of the Android malware “Godfather” creates remoted digital environments on cellular units to steal account information and transactions from reliable banking apps.
These malicious apps are executed inside a managed digital setting on the system, enabling real-time spying, credential theft, and transaction manipulation whereas sustaining excellent visible deception.
The tactic resembles that seen within the FjordPhantom Android malware in late 2023, which additionally used virtualization to execute SEA financial institution apps inside containers to evade detection.
Nonetheless, Godfather’s focusing on scope is far broader, focusing on over 500 banking, cryptocurrency, and e-commerce apps worldwide utilizing a full digital filesystem, digital Course of ID, intent spoofing, and StubActivity.
In accordance to Zimperium, which analyzed it, the extent of deception could be very excessive. The consumer sees the true app UI, and the Android protections miss the malicious operation facet, as solely the host app’s actions are declared within the manifest.
Virtualized information theft
Godfather comes within the type of an APK app containing an embedded virtualization framework, leveraging open-source instruments such because the VirtualApp engine and Xposed for hooking.
As soon as energetic on the system, it checks for put in goal apps, and if discovered, it locations it inside its digital setting and makes use of a StubActivity to launch it contained in the host container.
A StubActivity is a placeholder exercise declared within the app working the virtualization engine (the malware) that acts as a shell or proxy for launching and working actions from virtualized apps.
It does not comprise its personal UI or logic and, as a substitute, delegates conduct to the host app, tricking Android into considering {that a} reliable app is being run whereas really intercepting and controlling it.
Supply: Zimperium
When the sufferer launches the true banking app, Godfather’s accessibility service permission intercepts the ‘Intent’ and redirects it to a StubActivity contained in the host app, which initiates the digital model of the banking app contained in the container.
The consumer sees the true app interface, however all delicate information concerned of their interactions could be simply hijacked.
By utilizing Xposed for API hooking, Godfather can report account credentials, passwords, PINs, contact occasions, and seize responses from the banking backend.
Supply: Zimperium
The malware shows a pretend lock display screen overlay at key moments to trick the sufferer into getting into their PIN/passwords.
As soon as it has collected and exfiltrated all that information, it awaits instructions from the operators to unlock the system, carry out UI navigation, open apps, and set off funds/transfers from inside the true banking app.
Throughout this, the consumer sees a pretend “replace” display screen or a black display screen in order to not increase their suspicion.
Evolving menace
Godfather first appeared within the Android malware area in March 2021, as found by ThreatFabric, and adopted a formidable evolutionary trajectory since then.
The newest Godfather model constitutes a major evolution to the final pattern analyzed by Group-IB in December 2022, which focused 400 apps and 16 international locations utilizing HTML login display screen overlays on prime of baking and crypto alternate apps.
Though the marketing campaign Zimperium noticed solely targets a dozen Turkish financial institution apps, different Godfather operators could decide to activate different subsets of the five hundred focused apps to assault totally different areas.
To guard your self from this malware, solely obtain apps from Google Play or APKs from publishers you belief, be sure that Play Defend is energetic, and take note of the requested permissions.
Patching used to imply advanced scripts, lengthy hours, and infinite hearth drills. Not anymore.
On this new information, Tines breaks down how fashionable IT orgs are leveling up with automation. Patch quicker, scale back overhead, and deal with strategic work — no advanced scripts required.
