• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

Qilin ransomware claimed responsibility for the attack on the beer giant Asahi

 | 

DragonForce, LockBit, and Qilin, a new triad aims to dominate the ransomware landscape

 | 

DraftKings thwarts credential stuffing attack, but urges password reset and MFA

 | 

Redis patches 13-Year-Old Lua flaw enabling Remote Code Execution

 | 

U.S. CISA adds Synacor Zimbra Collaboration Suite (ZCS) flaw to its Known Exploited Vulnerabilities catalog

 | 

GoAnywhere MFT zero-day used by Storm-1175 in Medusa ransomware campaigns

 | 

CrowdStrike ties Oracle EBS RCE (CVE-2025-61882) to Cl0p attacks began Aug 9, 2025

 | 

Discord discloses third-party breach affecting customer support data

 | 

Oracle patches critical E-Business Suite flaw exploited by Cl0p hackers

 | 

LinkedIn sues ProAPIs for $15K/Month LinkedIn data scraping scheme

 | 

Zimbra users targeted in zero-day exploit using iCalendar attachments

 | 

Reading the ENISA Threat Landscape 2025 report

 | 

Ghost in the Cloud: Weaponizing AWS X-Ray for Command & Control

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 65

 | 

Security Affairs newsletter Round 544 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

GreyNoise detects 500% surge in scans targeting Palo Alto Networks portals

 | 

U.S. CISA adds Smartbedded Meteobridge, Samsung, Juniper ScreenOS, Jenkins, and GNU Bash flaws to its Known Exploited Vulnerabilities catalog

 | 

ShinyHunters Launches Data Leak Site: Trinity of Chaos Announces New Ransomware Victims

 | 

ProSpy, ToSpy malware pose as Signal and ToTok to steal data in UAE

 | 

Google warns of Cl0p extortion campaign against Oracle E-Business users

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Cyber Crime
  • Malware
  • Mobile
  • Godfather Android trojan uses virtualization to hijack banking and crypto apps

Godfather Android trojan uses virtualization to hijack banking and crypto apps

Pierluigi Paganini June 21, 2025

Godfather Android trojan uses virtualization to hijack banking and crypto apps, stealing user funds, warns mobile security firm Zimperium.

Zimperium zLabs has uncovered a major evolution of the GodFather Android trojan, which uses on-device virtualization to hijack real banking and crypto apps. Instead of using fake overlays, the malware creates a sandbox on the victim’s device, runs actual apps inside it, and intercepts user input in real time. This technique allows for full account takeovers and bypasses security features. The current campaign targets Turkish banks and shows a serious leap in mobile malware tactics.

The latest GodFather Android malware samples use ZIP manipulation and obfuscation to evade static analysis. Threat actors tamper with APK ZIP structure and the Android Manifest, adding flags and fields like “$JADXBLOCK” to mislead tools. The malware hides its payload in the assets folder and uses session-based installation to bypass restrictions. It exploits accessibility services to monitor user input, auto-grant permissions, and exfiltrate data to a C2 server via Base64-encoded URLs.

The GodFather malware uses legit open-source tools like Virtualapp and Xposed to run overlay attacks. It virtualizes apps inside a host container, not on the Android OS directly.

Hosted apps run in a sandboxed file system managed by the host, with the process com.heb.reb:va_core executing them. This setup lets the malware hook APIs, steal data, and stay hidden, ensuring its malicious functions run undetected in a controlled environment.

The GodFather malware uses a clever virtualization trick to hijack banking apps on Android devices. First, it scans the victim’s phone for specific banking apps. If it finds any, it downloads and installs Google Play components into a hidden virtual space it controls.

Next, it sets up a fake environment where it can secretly run those real banking apps. It copies key data from the legitimate apps, like package names and security details, into special files (like package.ini). This allows the malware to launch real banking apps inside its sandbox, keeping user sessions intact.

When a user tries to open their actual banking app, GodFather intercepts the request and redirects them to a fake version inside its virtual space. It uses Android’s accessibility services and its own proxy tools to seamlessly mimic the look and behavior of the real app. The victim thinks they’re using their trusted bank app, but in reality, every tap and login is being captured.

In short, GodFather creates a virtual clone of your banking app to steal your info without you noticing.

“This virtualization technique provides attackers with several critical advantages over previously seen malware. By running the legitimate app inside a controlled environment, attackers gain total visibility into the application’s processes, allowing them to intercept credentials and sensitive data in real-time. The malware can be controlled remotely and also use hooking frameworks to modify the behavior of the virtualized app, effectively bypassing security checks such as root detection. In addition to this core technique, GodFather has evolved its evasive maneuvers, employing ZIP manipulation and shifting code to the Java layer to defeat static analysis tools.” reads the report published by Zimperium. “Crucially, because the user is interacting with the real, unaltered application, the attack achieves perfect deception, making it nearly impossible to detect through visual inspection and neutralizing user vigilance.”

The GodFather malware implements advanced hooking techniques to spy on banking apps. It tailors its attack to each app, using the Xposed framework to intercept network connections, especially through the OkHttpClient library, which many banking apps use. It injects malicious interceptors to log sensitive data like login credentials.

The malware also hides itself from detection by hooking Android’s getEnabledAccessibilityServiceList API, making it return an empty list so it appears invisible to security checks.

Worse still, GodFather can steal lock screen credentials. It does this by showing fake overlays that mimic real lock screens, tricking users into entering their PIN, password, or pattern. Once entered, the malware captures that info, putting the entire device at risk.

The malware supports a wide range of commands that allow attackers to simulate gestures, manipulate screen elements, open apps/settings, control brightness, and even steal lock screen credentials through fake overlays.

It uses both advanced virtualization and classic overlay techniques to hijack legitimate apps, especially targeting over 484 popular applications. These include:

  • Banking & financial apps across the U.S., Europe, and Turkey
  • Cryptocurrency wallets and exchanges
  • E-commerce, ride-sharing, food delivery, and streaming apps
  • Social media and messaging platforms

The malware’s modular command system lets it perform precise, stealthy actions like launching fake apps, executing gestures, faking updates, controlling screen content, and stealing sensitive data, all while staying hidden from users and security tools.

“While this GodFather campaign casts a wide net, targeting nearly 500 applications globally, our analysis reveals that this highly sophisticated virtualization attack is currently focused on a dozen Turkish financial institutions.” concludes the report. “This discovery represents a significant leap in capability beyond previously documented research like “FjordPhantom” and the most recent publicly available analysis reported by Cyble in November 2024.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, malware)


facebook linkedin twitter

Cybercrime Godfather Android Godfather malware Hacking hacking news information security news IT Information Security malware Pierluigi Paganini Security Affairs Security News

you might also like

Pierluigi Paganini October 08, 2025
Qilin ransomware claimed responsibility for the attack on the beer giant Asahi
Read more
Pierluigi Paganini October 08, 2025
DragonForce, LockBit, and Qilin, a new triad aims to dominate the ransomware landscape
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    Qilin ransomware claimed responsibility for the attack on the beer giant Asahi

    Cyber Crime / October 08, 2025

    DragonForce, LockBit, and Qilin, a new triad aims to dominate the ransomware landscape

    Cyber Crime / October 08, 2025

    DraftKings thwarts credential stuffing attack, but urges password reset and MFA

    Security / October 08, 2025

    Redis patches 13-Year-Old Lua flaw enabling Remote Code Execution

    Security / October 08, 2025

    U.S. CISA adds Synacor Zimbra Collaboration Suite (ZCS) flaw to its Known Exploited Vulnerabilities catalog

    Hacking / October 07, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT