A new iteration of the Android malware "Godfather" now uses virtualization to embed banking apps within isolated environments on infected devices, allowing it to steal login credentials and manipulate transactions in real time.
By creating a virtual container, the malware can spy on genuine app activity while showing users the actual interface, making the attack nearly undetectable.
Godfather uses open-source frameworks like VirtualApp and Xposed to hook APIs and launch targeted apps through proxy "StubActivities" inside the malware, intercepting sensitive data invisibly.
When a targeted app is opened, the malware redirects the launch to its virtual environment while recording user inputs such as passwords and PINs.
It also tricks users with fake lock or update screens during unauthorized actions like money transfers. This updated variant marks a significant leap from earlier versions, broadening its reach to over 500 apps globally despite Zimperium observing a current focus on Turkish banks.
To stay safe, users should stick to trusted app sources, activate Google Play Protect, and review app permission requests carefully.
Read more...