Criminals are targeting hundreds of legitimate banking & crypto apps using an advanced virtualization technique — here's how to stay safe

News
By published

GodFather malware runs real banking apps in a hidden space to steal user information

Banking
Image Credit: Shutterstock (Image credit: Shutterstock)
  • Experts warn of malware running real apps in fake virtual environments
  • GodFather bypasses security checks and overlays fake screens to steal credentials
  • Targets banking and crypto apps globally with nearly invisible techniques

Zimperium zLabs has uncovered a new version of the GodFather malware that uses on-device virtualization to hijack real banking and cryptocurrency apps.

Unlike older attacks that showed fake login screens, this malware launches the actual apps in a virtual space where attackers can see everything the user does.

The attack begins with a host app that includes a virtualization tool - this host app downloads the targeted banking or crypto app and runs it in a private environment.

Moving beyond simple overlays

When users open their app, they are unknowingly redirected into the virtual version. From there, every tap, login, and PIN entry is tracked in real time.

Because the user is interacting with a real app, it is almost impossible to spot the attack by looking at the screen.

GodFather also uses ZIP tricks and hides much of its code in a way that defeats static analysis. It requests accessibility permissions and then silently grants itself more access, making the attack smooth and hard to detect.

“Mobile attackers are moving beyond simple overlays; virtualization gives them unrestricted, live access inside trusted apps,” said Fernando Ortega, Senior Security Researcher, Zimperium zLabs.

“Enterprises need on-device, behavior-based detection and runtime app protection to stay ahead of this shift toward a mobile-first attack strategy.”

Zimperium’s analysis shows that this version of GodFather is focused on Turkish banks, but the campaign targets almost 500 apps globally. These include financial services, cryptocurrency platforms, e-commerce, and messaging apps.

The malware checks for specific apps on the device, clones them into the virtual space, and uses the cloned version to collect data and track user behavior.

It can also steal device lock screen credentials using fake overlays that look like system prompts.

Attackers can control the infected phone remotely using a set of commands. These can perform swipes, open apps, change brightness, and simulate user actions.

How to stay safe

  • Avoid installing apps from unknown sources - always use official stores like Google Play.
  • Check app permissions carefully. If an app asks for accessibility access or screen overlay permissions without a clear reason, uninstall it immediately.
  • Keep your phone’s operating system updated.
  • Use mobile security tools from trusted developers.
  • Avoid sideloading APK files, even if shared by someone you know.
  • Rebooting your phone regularly can help thwart any persistent malware.
  • Pay attention to unusual behavior, such as faster than usual battery drain and weird, unexpected overlays.
  • If your banking app ever looks different or asks for login more often than usual, stop using it and contact your bank.

You might also like

TOPICS
Wayne Williams
Wayne Williams
Editor

Wayne Williams is a freelancer writing news for TechRadar Pro. He has been writing about computers, technology, and the web for 30 years. In that time he wrote for most of the UK’s PC magazines, and launched, edited and published a number of them too.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.