The ‘Godfather’ Android Trojan Uses Virtualization Technology to Hijack Banking and Cryptocurrency Applications

The 'Godfather' Android Trojan Uses Virtualization Technology to Hijack Banking and Cryptocurrency Applications

Zimperium zLabs has discovered a significant upgraded version of the “Godfather” Android Trojan, which utilizes device-side virtualization technology to hijack real banking and cryptocurrency applications. Unlike traditional fake interface overlays, this malware creates a sandbox environment on the victim’s device, running real applications and capturing user input in real-time. This technology enables complete account takeover and can bypass security mechanisms. Current attack activities are primarily targeting Turkish banking institutions, marking a serious escalation in mobile malware tactics.

The latest “Godfather” Trojan sample employs ZIP file tampering and obfuscation techniques to evade static analysis. Attackers mislead analysis tools by modifying the APK package structure and the AndroidManifest file, adding special markers like “$JADXBLOCK”. Its payload is hidden in the assets folder and uses a session-based installation method to bypass system restrictions. The Trojan monitors user input through accessibility services, automatically grants permissions, and exfiltrates data to C2 servers via Base64 encoded URLs.

Technical details reveal:

  1. The Trojan implements virtualization attacks using open-source tools like VirtualApp and Xposed, running target applications in a host container rather than directly on the Android system.

  2. The virtualized applications run in a sandbox file system managed by the host (process name: com.heb.reb:va_core).

  3. This architecture allows the Trojan to hook APIs, steal data, and remain stealthy, ensuring malicious functions go undetected in a controlled environment.

Attack process analysis:

  • First, scan the device to identify specific banking applications.

  • Download and install Google Play components in a concealed virtual space.

  • Copy critical data from the legitimate application by spoofing configuration files like package.ini.

  • When the user launches the banking application, redirect the request to a cloned version in the virtual environment.

  • Utilize accessibility services and proxy tools to perfectly replicate the legitimate application’s interface and interactions.

  • Record all user actions and login credentials throughout the process.

Zimperium’s report states: “This virtualization technology gives attackers an unprecedented advantage—by running legitimate applications in a controlled environment, attackers can fully monitor application processes and steal sensitive data like credentials in real-time. The Trojan supports remote control and uses a hooking framework to modify the behavior of virtualized applications, effectively evading root detection and other security checks. More critically, since users are interacting with an unaltered legitimate application, the attack is perfectly deceptive and nearly impossible to detect through visual inspection.”

Advanced attack features:

  1. Custom Xposed framework attacks are used to specifically intercept network connections through the OkHttpClient library (used by most banking applications).

  2. Hook the getEnabledAccessibilityServiceList API to return an empty list to evade detection.

  3. Spoof lock screen interfaces to steal PIN codes/passwords/pattern locks.

  4. Support over 200 commands: simulate gestures, manipulate screen elements, access system settings, control brightness, etc.

Target range:

  • 484 popular applications globally, including:

    • Banking and financial applications from the US, Europe, and Turkey.

    • Cryptocurrency wallets and exchanges.

    • E-commerce/ridesharing/food delivery/streaming platforms.

    • Social media and messaging software.

  • Current attack focus is on 12 Turkish financial institutions.

Security experts warn: “Although the ‘Godfather’ attack covers nearly 500 applications, the virtualization attack technology discovered this time is far more complex than known samples like ‘FjordPhantom’ disclosed in the November 2024 Cyble report, representing a significant leap in mobile malware capabilities.”

Related posts

  1. Are Domestic Virtualization Products’ Supporting Software Mature?
  2. Edge Computing: Key Issues and Future Challenges
  3. Embedded Services: “Safety is No Small Matter, Preventing Fire Hazards Before They Ignite”
  4. [Open Source] RustDesk: A Revolutionary Choice for Open Source Remote Desktop
  5. Exploring and Reflecting on the Attack Surface of QEMU Virtualization Security
  6. Detailed Explanation of ARMv8/ARMv9 Interrupts: Software Aspects – An Introduction to Linux Kernel Interrupts
  7. ARMv8/ARMv9 Memory Barrier Mechanism (Observer & Barrier)
  8. The C Language in Operating Systems: Applications of C in the Linux Kernel
  9. Virtualization Technology in Smart Vehicles (Part 1)
  10. Tutorial for Installing Windows Server 2022 on ESXi Virtualization
  11. Struggling with Embedded Core Board Selection? A Deep Dive into Key Considerations to Help You Make Informed Decisions.
  12. Understanding Wi-Fi, Bluetooth, and NFC Technologies
  13. 6 Bluetooth Uses You Should Know
  14. Most Common Software in Embedded Engineering
  15. Comprehensive Ban on AI Chips? NVIDIA and AMD Face U.S. Restrictions, Do We Have Domestic Alternatives?
  16. Is the All-New Argon18 Dark Matter the Best Gravel Bike Yet?
  17. The Pitfalls of Login Functionality: How an HTTP Redirection Attack Almost Cost My Company (with Solutions)
  18. The Explosion of Generative AI Programming: Opportunities, Challenges, and Future Potential in Software Development
  19. Daily C Language Practice: Mastering Programming Basics with 4 Types of Questions (4)

Leave a Comment