- Experts warn against malware run real applications in false virtual environments
- Godfather bypass safety controls and false screens overlays to steal identification information
- Target banking and crypto applications in the world with almost invisible techniques
Zimperium Zlabs has discovered a new version of the Godfather malware which uses virtualization on devices to divert banking and cryptocurrency applications.
Unlike older attacks which showed false connection screens, this malware launches real applications in a virtual space where attackers can see everything that the user does.
The attack begins with a host application which includes a virtualization tool – This host application downloads the targeted banking or crypto application and performs it in a private environment.
Go beyond simple overlays
When users open their application, they are without knowing it redirected in the virtual version. From there, each tap, connection and pin input is followed in real time.
Because the user interacts with real application, it is almost impossible to spot the attack by looking at the screen.
Godfather also uses zip tips and hides a large part of his code in a way that defeats a static analysis. It requires accessibility authorizations, then silently grants more access, which makes the attack smooth and difficult to detect.
“Mobile attackers go beyond simple overlays; Virtualization gives them live access without restriction within confidence applications, “said Fernando Ortega, principal researcher in terms of security, Zimerium Zlabs.
“Businesses need devices, behavior -based detection and implementing applications to stay in advance on this change to a mobile attack strategy.”
Zimperium’s analysis shows that this version of godfather focuses on Turkish banks, but the campaign targets nearly 500 applications worldwide. These include financial services, cryptocurrency platforms, electronic commerce and messaging applications.
Malware checks specific applications on the device, clonations in virtual space and uses the cloned version to collect data and follow user behavior.
It can also steal identification information from the peripheral locking screen using false overlays that resemble system prompts.
The attackers can control the infected phone remotely using a set of commands. These can make sweeping, open applications, modify brightness and simulate user actions.
How to stay safe
- Avoid installing applications from unknown sources – always use official stores like Google Play.
- Carefully check the application authorizations. If an application requires accessibility accessibility or screen superposition permissions without clear reason, uninstall it immediately.
- Keep your phone’s operating system up to date.
- Use mobile safety tools for trust developers.
- Avoid APK flow files laterally, even if you are shared by someone you know.
- Regularly restarting your phone can help thwart any persistent malware.
- Pay attention to unusual behavior, such as a faster battery discharge than usual and strange and unexpected overlays.
- If your banking application seems different or requests connection more often than usual, stop using it and contact your bank.
