NEW YORK— A sophisticated banking Trojan known as "Godfather" has evolved beyond traditional tactics by replicating real mobile banking apps within a virtual environment it creates on infected Android devices, Bank Info Security reported, citing research from Zimperium.
The malware, believed to be developed by Russian-speaking actors, now uses a virtualization technique to run genuine banking and cryptocurrency apps under full attacker control. This marks a significant leap from conventional overlay attacks, for which Godfather was already known. The virtualization approach delivers a nearly flawless user experience, making it difficult for victims to detect any malicious activity, Bank Info Security said.
By controlling the actual financial apps within this parallel environment, attackers can intercept sensitive data in real time—including login credentials, transaction details, and even lock screen information—Bank Info Security said.
The Godfather malware has been active online since at least June 2021. In December 2022, cybersecurity firm Group-IB identified it as an evolution of the older Anubis Trojan. Until recently, Godfather spread effectively by displaying one of 400 fake login screens over legitimate apps, typically reaching victims through decoy apps on Android app stores, according to Bank Info Security.
Zimperium noted that the latest version of Godfather “achieves perfect deception,” making it nearly undetectable by sight and bypassing typical user caution.
The malware installs a host app that uses virtualization frameworks like VirtualApp or Xposed to create a hidden, sandboxed environment on the device. Within this container, it clones and runs genuine banking or cryptocurrency apps without modification—preserving the original interface and functionality, rather than spoofing them.
Godfather then abuses Android Accessibility Services to monitor user activity and capture sensitive information such as login credentials, SMS-based two-factor authentication codes, and transaction details. It also injects hooks into Java network libraries like OkHttpClient to intercept API traffic, extract data, and even manipulate app-server communications in real time, enabling attackers to alter transactions as they occur, Bank Info Security explained.
Godfather's command-and-control capabilities also enable remote control of infected devices, including opening settings, overlaying fake lock screens and performing gestures. The malware uses accessibility services to inject input and suppress indicators of its presence, making it among the most deceptive Android malware variants to date, Bank Info Security said.
According to Zimperium researchers Fernando Ortega and Vishnu Pratapagiri, the new Godfather "marks a significant leap in mobile threat capabilities, moving beyond traditional overlays to a more deceptive and effective form of attack."
The current campaign targets nearly 500 apps globally, with a focus on 12 Turkish banks. The targeted apps span fintech, social media, e-commerce and crypto platforms, Bank Info Security added.