Godfather Malware Now Hijacks Android Banking Apps
As malware becomes more sophisticated, seeing is not always believing. A new version of the Godfather malware found on Android is hijacking legitimate banking apps, making it increasingly difficult for users to detect (and for on-device security to protect).
An early version of Godfather used screen overlay attacks that placed fraudulent HTML login screens on top of legitimate banking and cryptocurrency exchange apps, tricking users into entering credentials for their financial accounts. It was first discovered on Android in 2021 and is estimated to have targeted several hundred apps in more than a dozen countries.
A new threat discovered by security firm Zimperium is Godfather virtualization, which allows malware to create a full virtual environment on your device rather than just spoofing a login screen. It does this by installing a malicious “host” app that scans for targeted financial apps and then downloads copies that can run in its virtual sandbox.
If you open one of these targeted apps, Godfather will redirect you to a virtual version. You’ll see a real banking interface, but everything that happens in it can be intercepted and changed in real time. As Bleeping Computer notes , this includes collecting credentials, passwords, PINs, and capturing responses from the bank’s backend. Additionally, the malware can control your device remotely, including initiating transfers and payments inside the banking or crypto app even when you’re not using it.
This threat is serious not only because it is difficult for users to detect visually, but also because it can bypass security checks on the device, such as root detection. Android’s security features only see the host app’s activity, while the malware remains hidden.
How to Protect Your Device from Godfather
While the current campaign affects around 500 apps, it is primarily focused on banks in Turkey, according to Zimperium. However, it could easily expand to other countries, as the previous version did.
To protect yourself from Godfather and any other malware targeting your Android device, only download and install apps from trusted sources, such as the Google Play Store. You can change your permission settings for unknown sources in Settings > Apps > Special app access > Install unknown apps . You should make sure that Google Play Protect, which scans apps for malware, is turned on and that your device and apps are updated. Now is also a good time to review the apps you have on your device and remove any you don’t use or don’t need.
Because the Godfather attack mechanism is so sophisticated, you should also follow other basic guidelines to avoid malware in the first place. Never open attachments or click on links in emails, text messages, or social media posts, and avoid clicking on ads that are used to distribute malware.