• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

China-linked group Houken hit French organizations using zero-days

 | 

Cybercriminals Target Brazil: 248,725 Exposed in CIEE One Data Breach

 | 

Europol shuts down Archetyp Market, longest-running dark web drug marketplace

 | 

Kelly Benefits data breach has impacted 550,000 people, and the situation continues to worsen as the investigation progresses

 | 

Cisco removed the backdoor account from its Unified Communications Manager

 | 

U.S. Sanctions Russia's Aeza Group for aiding crooks with bulletproof hosting

 | 

Qantas confirms customer data breach amid Scattered Spider attacks

 | 

CVE-2025-6554 is the fourth Chrome zero-day patched by Google in 2025

 | 

U.S. CISA adds TeleMessage TM SGNL flaws to its Known Exploited Vulnerabilities catalog

 | 

A sophisticated cyberattack hit the International Criminal Court

 | 

Esse Health data breach impacted 263,000 individuals

 | 

Europol dismantles €460M crypto scam targeting 5,000 victims worldwide

 | 

CISA and U.S. Agencies warn of ongoing Iranian cyber threats to critical infrastructure

 | 

U.S. CISA adds Citrix NetScaler flaw to its Known Exploited Vulnerabilities catalog

 | 

Canada bans Hikvision over national security concerns

 | 

Denmark moves to protect personal identity from deepfakes with new copyright law

 | 

Ahold Delhaize data breach affected over 2.2 Million individuals

 | 

Facebook wants access to your camera roll for AI photo edits

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 51

 | 

Security Affairs newsletter Round 530 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Cyber Crime
  • Malware
  • Mobile
  • Godfather Android trojan uses virtualization to hijack banking and crypto apps

Godfather Android trojan uses virtualization to hijack banking and crypto apps

Pierluigi Paganini June 21, 2025

Godfather Android trojan uses virtualization to hijack banking and crypto apps, stealing user funds, warns mobile security firm Zimperium.

Zimperium zLabs has uncovered a major evolution of the GodFather Android trojan, which uses on-device virtualization to hijack real banking and crypto apps. Instead of using fake overlays, the malware creates a sandbox on the victim’s device, runs actual apps inside it, and intercepts user input in real time. This technique allows for full account takeovers and bypasses security features. The current campaign targets Turkish banks and shows a serious leap in mobile malware tactics.

The latest GodFather Android malware samples use ZIP manipulation and obfuscation to evade static analysis. Threat actors tamper with APK ZIP structure and the Android Manifest, adding flags and fields like “$JADXBLOCK” to mislead tools. The malware hides its payload in the assets folder and uses session-based installation to bypass restrictions. It exploits accessibility services to monitor user input, auto-grant permissions, and exfiltrate data to a C2 server via Base64-encoded URLs.

The GodFather malware uses legit open-source tools like Virtualapp and Xposed to run overlay attacks. It virtualizes apps inside a host container, not on the Android OS directly.

Hosted apps run in a sandboxed file system managed by the host, with the process com.heb.reb:va_core executing them. This setup lets the malware hook APIs, steal data, and stay hidden, ensuring its malicious functions run undetected in a controlled environment.

The GodFather malware uses a clever virtualization trick to hijack banking apps on Android devices. First, it scans the victim’s phone for specific banking apps. If it finds any, it downloads and installs Google Play components into a hidden virtual space it controls.

Next, it sets up a fake environment where it can secretly run those real banking apps. It copies key data from the legitimate apps, like package names and security details, into special files (like package.ini). This allows the malware to launch real banking apps inside its sandbox, keeping user sessions intact.

When a user tries to open their actual banking app, GodFather intercepts the request and redirects them to a fake version inside its virtual space. It uses Android’s accessibility services and its own proxy tools to seamlessly mimic the look and behavior of the real app. The victim thinks they’re using their trusted bank app, but in reality, every tap and login is being captured.

In short, GodFather creates a virtual clone of your banking app to steal your info without you noticing.

“This virtualization technique provides attackers with several critical advantages over previously seen malware. By running the legitimate app inside a controlled environment, attackers gain total visibility into the application’s processes, allowing them to intercept credentials and sensitive data in real-time. The malware can be controlled remotely and also use hooking frameworks to modify the behavior of the virtualized app, effectively bypassing security checks such as root detection. In addition to this core technique, GodFather has evolved its evasive maneuvers, employing ZIP manipulation and shifting code to the Java layer to defeat static analysis tools.” reads the report published by Zimperium. “Crucially, because the user is interacting with the real, unaltered application, the attack achieves perfect deception, making it nearly impossible to detect through visual inspection and neutralizing user vigilance.”

The GodFather malware implements advanced hooking techniques to spy on banking apps. It tailors its attack to each app, using the Xposed framework to intercept network connections, especially through the OkHttpClient library, which many banking apps use. It injects malicious interceptors to log sensitive data like login credentials.

The malware also hides itself from detection by hooking Android’s getEnabledAccessibilityServiceList API, making it return an empty list so it appears invisible to security checks.

Worse still, GodFather can steal lock screen credentials. It does this by showing fake overlays that mimic real lock screens, tricking users into entering their PIN, password, or pattern. Once entered, the malware captures that info, putting the entire device at risk.

The malware supports a wide range of commands that allow attackers to simulate gestures, manipulate screen elements, open apps/settings, control brightness, and even steal lock screen credentials through fake overlays.

It uses both advanced virtualization and classic overlay techniques to hijack legitimate apps, especially targeting over 484 popular applications. These include:

  • Banking & financial apps across the U.S., Europe, and Turkey
  • Cryptocurrency wallets and exchanges
  • E-commerce, ride-sharing, food delivery, and streaming apps
  • Social media and messaging platforms

The malware’s modular command system lets it perform precise, stealthy actions like launching fake apps, executing gestures, faking updates, controlling screen content, and stealing sensitive data, all while staying hidden from users and security tools.

“While this GodFather campaign casts a wide net, targeting nearly 500 applications globally, our analysis reveals that this highly sophisticated virtualization attack is currently focused on a dozen Turkish financial institutions.” concludes the report. “This discovery represents a significant leap in capability beyond previously documented research like “FjordPhantom” and the most recent publicly available analysis reported by Cyble in November 2024.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, malware)


facebook linkedin twitter

Cybercrime Godfather Android Godfather malware Hacking hacking news information security news IT Information Security malware Pierluigi Paganini Security Affairs Security News

you might also like

Pierluigi Paganini July 03, 2025
China-linked group Houken hit French organizations using zero-days
Read more
Pierluigi Paganini July 03, 2025
Cybercriminals Target Brazil: 248,725 Exposed in CIEE One Data Breach
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    China-linked group Houken hit French organizations using zero-days

    APT / July 03, 2025

    Cybercriminals Target Brazil: 248,725 Exposed in CIEE One Data Breach

    Data Breach / July 03, 2025

    Europol shuts down Archetyp Market, longest-running dark web drug marketplace

    Cyber Crime / July 03, 2025

    Kelly Benefits data breach has impacted 550,000 people, and the situation continues to worsen as the investigation progresses

    Uncategorized / July 03, 2025

    Cisco removed the backdoor account from its Unified Communications Manager

    Security / July 02, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT