A brand new model of the Android malware “Godfather” creates remoted digital environments on cell gadgets to steal account information and transactions from respectable banking apps.
These malicious apps are executed inside a managed digital setting on the gadget, enabling real-time spying, credential theft, and transaction manipulation whereas sustaining good visible deception.
The tactic resembles that seen within the FjordPhantom Android malware in late 2023, which additionally used virtualization to execute SEA financial institution apps inside containers to evade detection.
Nevertheless, Godfather’s focusing on scope is way broader, focusing on over 500 banking, cryptocurrency, and e-commerce apps worldwide utilizing a full digital filesystem, digital Course of ID, intent spoofing, and StubActivity.
In accordance to Zimperium, which analyzed it, the extent of deception could be very excessive. The person sees the actual app UI, and the Android protections miss the malicious operation side, as solely the host app’s actions are declared within the manifest.
Virtualized information theft
Godfather comes within the type of an APK app containing an embedded virtualization framework, leveraging open-source instruments such because the VirtualApp engine and Xposed for hooking.
As soon as energetic on the gadget, it checks for put in goal apps, and if discovered, it locations it inside its digital setting and makes use of a StubActivity to launch it contained in the host container.
A StubActivity is a placeholder exercise declared within the app working the virtualization engine (the malware) that acts as a shell or proxy for launching and working actions from virtualized apps.
It would not include its personal UI or logic and, as a substitute, delegates conduct to the host app, tricking Android into considering {that a} respectable app is being run whereas really intercepting and controlling it.
Supply: Zimperium
When the sufferer launches the actual banking app, Godfather’s accessibility service permission intercepts the ‘Intent’ and redirects it to a StubActivity contained in the host app, which initiates the digital model of the banking app contained in the container.
The person sees the actual app interface, however all delicate information concerned of their interactions may be simply hijacked.
Through the use of Xposed for API hooking, Godfather can file account credentials, passwords, PINs, contact occasions, and seize responses from the banking backend.
Supply: Zimperium
The malware shows a pretend lock display overlay at key moments to trick the sufferer into getting into their PIN/passwords.
As soon as it has collected and exfiltrated all that information, it awaits instructions from the operators to unlock the gadget, carry out UI navigation, open apps, and set off funds/transfers from inside the actual banking app.
Throughout this, the person sees a pretend “replace” display or a black display in order to not increase their suspicion.
Evolving menace
Godfather first appeared within the Android malware area in March 2021, as found by ThreatFabric, and adopted a formidable evolutionary trajectory since then.
The newest Godfather model constitutes a major evolution to the final pattern analyzed by Group-IB in December 2022, which focused 400 apps and 16 international locations utilizing HTML login display overlays on high of baking and crypto alternate apps.
Though the marketing campaign Zimperium noticed solely targets a dozen Turkish financial institution apps, different Godfather operators could choose to activate different subsets of the five hundred focused apps to assault completely different areas.
To guard your self from this malware, solely obtain apps from Google Play or APKs from publishers you belief, make sure that Play Defend is energetic, and take note of the requested permissions.
Patching used to imply complicated scripts, lengthy hours, and infinite fireplace drills. Not anymore.
On this new information, Tines breaks down how fashionable IT orgs are leveling up with automation. Patch quicker, scale back overhead, and concentrate on strategic work — no complicated scripts required.
