‘GodFather’ Malware Hijacks Banking Apps, Leverages Advanced Virtualization for Account Takeover

• The GodFather banking malware improved functionalities and now employs advanced on-device virtualization.
• Attackers hijack legitimate banking and crypto applications, facilitating swift and nearly undetectable account takeovers.
• The malware creates a virtual environment on the victim’s device, running targeted applications within a controlled sandbox.

A significant evolution in GodFather sees the malware leveraging advanced on-device virtualization techniques, deceiving users by creating an isolated, controlled environment on a victim's device. 

Instead of using traditional overlay login screens, it virtualizes various legitimate apps within a sandbox, with a focus on banking and cryptocurrency apps, allowing attackers real-time monitoring of every interaction.

GodFather uses this virtualization method to run the actual app within its controlled environment. This approach enables attackers to intercept sensitive credentials and bypass key security measures like root detection, a recent Zimperium report says.

Users unknowingly engage with their legitimate apps, but every tap and input is tracked and hijacked by the malware. The seamless deception makes it incredibly challenging to detect through visual inspection.

It employs new layers of obfuscation, including ZIP manipulation and the movement of malicious code to the Java layer. These techniques help it evade static analysis and bypass detection tools. 

Combined with its use of Android accessibility services, the malware effectively lures users into granting permissions, allowing it to control additional device functions covertly.

This iteration of GodFather has focused its capabilities, targeting approximately 500 global apps, largely in the financial and cryptocurrency sectors. A specific emphasis on Turkish financial institutions highlights the malware's ability to adapt its strategy for targeted campaigns. 

The consequences are severe, including full account takeovers and the potential compromise of connected devices, eroding users’ trust in mobile apps altogether.

GodFather's virtualization-based attack represents a significant leap in mobile malware sophistication. By eroding the fundamental trust between users and their apps, it sets a precedent for future threats.

"What we are seeing with GodFather malware is the further evidence of a shifting paradigm in cybersecurity where full account takeover is swift and brutal," noted April Lenhard, Principal Product Manager at Qualys for TechNadu. 

Casey Ellis, Founder of Bugcrowd, added that this novel technique holds significant potential, and it’s only a matter of time before it gets replicated across different regions.

Eric Schwake, Director of Cybersecurity Strategy at Salt Security, emphasized the gravity of this evolution, stating that this cunning method undermines the integrity of financial transactions and highlights the urgent need for robust API security strategies.