Mobile banking users beware - "Godfather" malware is now hijacking official bank apps

(Image credit: Shutterstock.com)

Zimperium spots new version of Godfather among Turkish Android users
New version creates virtualized versions of legitimate banking apps in a sandbox
It can exfiltrate login credentials, PIN codes, and unlock patterns

The notorious Godfather malware for Android phones is back with a vengeance, experts have warned, targeting victims with an upgraded build which makes it more dangerous than ever.

Cybersecurity researchers Zimperium claim to have seen an updated version of the infamous malware in the wild, and this one is even more dangerous as it simplifies things while evading detection even better.

Godfather is a banking trojan, used to steal money out of people’s bank accounts. Earlier variants worked as an overlay - placing an invisible layer on top of legitimate banking apps. Therefore, when victims bring up their apps and start typing in their login credentials, these would be picked up by the overlay and sent to the attackers, who would later log into the app and make cash withdrawals.

Virtualization attacks

The new version, however, ditches the overlay approach for something even more sinister - creating a virtualized version of the app.

On the compromised devices, the malware would launch a virtual instance of the banking app inside a sandbox. That way, the malware doesn’t even need to ask for excessive permissions in order to conduct wire fraud, and means victims may not even trust the legitimate apps they have installed.

When the victim gets infected, the malware first analyzes the installed apps and looks for a banking one that fits.

If it finds one, it creates a virtualized version that launches whenever the victim tries to bring up the legitimate one.

Besides stealing login credentials, Godfather can exfiltrate PIN codes and unlock patterns, and can remotely control the device during off-hours (in the middle of the night, for example), making wire transfers while the victim is asleep.

Zimperium says it has only observed Godfather among Turkish Android users so far, but it warned that the malware operators can pivot towards the West at any time, so banking users everywhere should be on their guard.

Via InfoSecurity

More from TechRadar Pro

Experts warn GTA and Minecraft being used to lure in cyberattack victims - here's how to stay safe
Take a look at our guide to the best authenticator app
We've rounded up the best password managers

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

Recommended reading