A new version of the Android malware Godfather creates isolated virtual environments on mobile devices to steal account details and transactions from legitimate banking apps.
These malicious apps run within a controlled virtual environment on the device. This enables real-time spying, theft of login credentials, and manipulation of transactions, while the visual display appears completely genuine.
According to BleepingComputer, the tactic is similar to that used by the FjordPhantom Android malware in late 2023. That malware also used virtualization to run SEA banking apps within containers to evade detection.
However, Godfather targets a much broader range. It targets more than 500 banking, cryptocurrency, and e-commerce apps worldwide using a fully virtual file system, virtual process ID, intent spoofing, and StubActivity.
According to Zimperium, which analyzed the malware, the level of deception is very high. The user sees the real user interface of the app, and Android security does not detect the malicious activity. This is because only the activities of the host app are declared in the manifest.
Virtual data theft
Godfather comes in the form of an APK app with an embedded virtualization framework. It uses open-source tools such as the VirtualApp engine and Xposed for hooking.
Once active on the device, it checks for target apps, and if any are found, it places them in its virtual environment and uses a StubActivity to launch them within the host container.
A StubActivity is a placeholder activity declared in the app that runs the virtualization engine (the malware). It acts as a wrapper or proxy for launching and executing activities of virtualized apps.
The StubActivity does not contain its own user interface or logic, but transfers the behavior to the host app. Android thus thinks that it is a legitimate app being executed, when in reality it is being intercepted and controlled.
Godfather intercepts permissions
When the victim opens the real banking app, Godfather intercepts permissions for accessibility services and redirects them to a StubActivity within the host app, which launches the virtual version of the banking app within the container.
The user sees the real app interface. However, any sensitive data entered during interactions can be easily intercepted.
By using Xposed for API hooking, Godfather can record account details, passwords, and PIN codes and capture responses from the bank’s back end.
Malware displays fake lock screen
The malware displays a fake lock screen overlay at key moments to trick the victim into entering their PIN or password. Once all data has been collected and leaked, it waits for commands from the operators to unlock the device, control user interfaces, open apps, and make payments or transfers within the real banking app.
During this process, the user sees a fake update screen or a black screen to avoid arousing suspicion.
Evolving threat
Godfather first appeared in the Android malware world in March 2021. Since then, the malware has undergone impressive evolutionary development.
The latest version of Godfather represents a significant evolution from the last sample analyzed by Group-IB in December 2022. That sample targeted 400 apps in 16 countries with HTML login screen overlays on top of banking and crypto apps.
Although the campaign discovered by Zimperium only targets a dozen Turkish banking apps, other Godfather operators may choose to activate other subsets of the 500 target apps. And thus attack other regions.