A brand new model of the Android malware “Godfather” creates remoted digital environments on cellular gadgets to steal account knowledge and transactions from reliable banking apps.
These malicious apps are executed inside a managed digital surroundings on the system, enabling real-time spying, credential theft, and transaction manipulation whereas sustaining excellent visible deception.
The tactic resembles that seen within the FjordPhantom Android malware in late 2023, which additionally used virtualization to execute SEA financial institution apps inside containers to evade detection.
Nevertheless, Godfather’s concentrating on scope is way broader, concentrating on over 500 banking, cryptocurrency, and e-commerce apps worldwide utilizing a full digital filesystem, digital Course of ID, intent spoofing, and StubActivity.
In accordance to Zimperiumwhich analyzed it, the extent of deception could be very excessive. The consumer sees the true app UI, and the Android protections miss the malicious operation facet, as solely the host app’s actions are declared within the manifest.
Virtualized knowledge theft
Godfather comes within the type of an APK app containing an embedded virtualization framework, leveraging open-source instruments such because the VirtualApp engine and Xposed for hooking.
As soon as lively on the system, it checks for put in goal apps, and if discovered, it locations it inside its digital surroundings and makes use of a StubActivity to launch it contained in the host container.
A StubActivity is a placeholder exercise declared within the app operating the virtualization engine (the malware) that acts as a shell or proxy for launching and operating actions from virtualized apps.
It would not include its personal UI or logic and, as a substitute, delegates habits to the host app, tricking Android into considering {that a} reliable app is being run whereas really intercepting and controlling it.
Creating the virtualized surroundings
Supply: Zimperium
When the sufferer launches the true banking app, Godfather’s accessibility service permission intercepts the ‘Intent’ and redirects it to a StubActivity contained in the host app, which initiates the digital model of the banking app contained in the container.
The consumer sees the true app interface, however all delicate knowledge concerned of their interactions could be simply hijacked.
By utilizing Xposed for API hooking, Godfather can document account credentials, passwords, PINs, contact occasions, and seize responses from the banking backend.
Community hooks utilized by Godfather
Supply: Zimperium
The malware shows a pretend lock display overlay at key moments to trick the sufferer into coming into their PIN/passwords.
As soon as it has collected and exfiltrated all that knowledge, it awaits instructions from the operators to unlock the system, carry out UI navigation, open apps, and set off funds/transfers from inside the true banking app.
Throughout this, the consumer sees a pretend “replace” display or a black display in order to not increase their suspicion.
Evolving risk
Godfather first appeared within the Android malware house in March 2021, as found by ThreatFabric, and adopted a powerful evolutionary trajectory since then.
The newest Godfather model constitutes a major evolution to the final pattern analyzed by Group-IB in December 2022, which focused 400 apps and 16 nations utilizing HTML login display overlays on high of baking and crypto change apps.
Though the marketing campaign Zimperium noticed solely targets a dozen Turkish financial institution apps, different Godfather operators could choose to activate different subsets of the five hundred focused apps to assault completely different areas.
To guard your self from this malware, solely obtain apps from Google Play or APKs from publishers you belief, make sure that Play Defend is lively, and take note of the requested permissions.
Patching used to imply complicated scripts, lengthy hours, and countless fireplace drills. Not anymore.
On this new information, Tines breaks down how trendy IT orgs are leveling up with automation. Patch quicker, scale back overhead, and give attention to strategic work — no complicated scripts required.
