A recent version of the Godfather Android trojan is deploying a sandbox on the infected devices to hijack banking and cryptocurrency applications, mobile security firm Zimperium warns.
Active since at least June 2021 and believed to be based on leaked Anubis banking trojan code, Godfather is known for targeting hundreds of banking and cryptocurrency applications worldwide with web overlays.
A recently identified iteration of the malware takes its information stealing capabilities to a new level through the deployment of a complete virtualization framework on infected devices, which is used to run copies of the targeted applications in the controlled sandbox.
Godfather uses open source tools such as Virtualapp, Xposedbridge, XposedInstaller, and Xposed, which support app virtualization, to execute the new overlay attacks. A host app is used to load the hijacked applications, which are installed on a virtual filesystem.
The malware creates a list of applications installed on the Android device, and extracts essential information from banking applications to create a cache file it then uses to launch the apps in the sandbox.
“When a user launches their app, they are seamlessly redirected to this virtualized instance, where every action, tap, and data entry is monitored and controlled by the malware at runtime,” Zimperium explains.
The approach provides attackers with total visibility into the user’s actions, allowing them to intercept sensitive information and credentials in real time. Furthermore, they can control the malware remotely to modify the virtualized app’s behavior and bypass security checks.
“Crucially, because the user is interacting with the real, unaltered application, the attack achieves perfect deception, making it nearly impossible to detect through visual inspection and neutralizing user vigilance,” Zimperium notes.
The latest malware iteration was also seen altering the ZIP format of APK files and modifying Android Manifest file structure to evade detection. However, it continues to use Android’s accessibility services and to trick users into granting it the permissions it needs to conduct nefarious activities.
Zimperium also observed the malware using various hooks to steal sensitive information, and targeting device lock credentials, including lock patterns, PINs, and passwords.
The security firm has seen the virtualization technique being used against roughly a dozen Turkish financial institutions, but warns that Godfather can target close to 500 applications, including banking, cryptocurrency, communication, e-commerce, social media, and services apps.
Related: ‘Crocodilus’ Android Banking Trojan Allows Device Takeover, Data Theft
Related: Fresh Grandoreiro Banking Trojan Campaigns Target Latin America, Europe
Related: ‘DroidBot’ Android Trojan Targets Banking, Cryptocurrency Applications
