A new version of the Android malware "Godfather" creates isolated virtual environments on mobile devices to steal account data and transactions from legitimate banking apps.
These malicious apps are executed inside a controlled virtual environment on the device, enabling real-time spying, credential theft, and transaction manipulation while maintaining perfect visual deception.
The tactic resembles that seen in the FjordPhantom Android malware in late 2023, which also used virtualization to execute SEA bank apps inside containers to evade detection.
However, Godfather's targeting scope is much broader, targeting over 500 banking, cryptocurrency, and e-commerce apps worldwide using a full virtual filesystem, virtual Process ID, intent spoofing, and StubActivity.
According to Zimperium, which analyzed it, the level of deception is very high. The user sees the real app UI, and the Android protections miss the malicious operation aspect, as only the host app's activities are declared in the manifest.
Virtualized data theft
Godfather comes in the form of an APK app containing an embedded virtualization framework, leveraging open-source tools such as the VirtualApp engine and Xposed for hooking.
Once active on the device, it checks for installed target apps, and if found, it places it inside its virtual environment and uses a StubActivity to launch it inside the host container.
A StubActivity is a placeholder activity declared in the app running the virtualization engine (the malware) that acts as a shell or proxy for launching and running activities from virtualized apps.
It doesn't contain its own UI or logic and, instead, delegates behavior to the host app, tricking Android into thinking that a legitimate app is being run while actually intercepting and controlling it.
... continue reading