The GodFather Android trojan uses virtualization to hijack banking and crypto apps, stealing user funds, warns mobile security firm Zimperium . Zimperium zLabs has uncovered a major evolution of the GodFather Android trojan, which uses on-device virtualization to hijack real banking and crypto apps . Instead of using fake overlays, the malware creates a sandbox on the victim's device, runs actual apps inside it, and intercepts user input in real time . This technique allows for full account takeovers and bypasses security features .
The current campaign targets Turkish banks and shows a serious leap in mobile malware tactics . The latest GodFather Android malware samples use ZIP manipulation and obfuscation to evade static analysis . Threat actors tamper with APK ZIP structure and the Android Manifest, adding flags and fields like “$JADXBLOCK” to mislead tools . The malware hides its payload in the assets folder and uses session-based installation to bypass restrictions . It exploits accessibility services to monitor user input, auto-grant permissions, and exfiltrate data to a C2 server via Base64-encoded URLs .
The GodFather malware uses legit open-source tools like Virtualapp and Xposed to run overlay attacks . It virtualizes apps inside a host container, not on the Android OS directly . Hosted apps run in a sandboxed file system managed by the host, with the process com.heb.reb:va_core executing them . This setup lets the malware hook APIs, steal data, and stay hidden, ensuring its malicious functions run undetected in a controlled environment . The GodFather malware uses a clever virtualization trick to hijack banking apps on Android devices . First, it scans the victim's phone for specific banking apps . If it finds any, it downloads and installs Google Play components into a hidden virtual space it controls . Next, it sets up a fake environment where it can secretly run those real banking apps . It copies key data from the legitimate apps, like package names .
GodFather creates a virtual clone of your banking app to steal your info without you noticing . This virtualization technique provides attackers with several critical advantages over previously seen malware . By running the legitimate app inside a controlled environment, attackers gain total visibility into the application's processes, allowing them to intercept credentials and sensitive data in real-time . The malware can be controlled remotely and also use hooking frameworks to modify the behavior of the virtualized app, effectively bypassing security checks such as root detection .
A sophisticated evolution of the GodFather banking malware was observed targeting 12 Turkish banks and scanning nearly 500 apps globally, including cryptocurrency wallets and financial platforms . The real danger here: the malware leverages an advanced on-device “Virtualization-as-a-Weapon” technique that hijacks several legitimate apps with an eye towards taking full control of a mobile device . In a June 18 blog, Zimperium researchers said the GodFather malware can now create a complete, isolated virtual environment on a victim's mobile device . Instead of mimicking a login screen, the malware installs a malicious “host” that contains a virtualized framework, explain the researchers . The host then downloads and runs a copy of the actual targeted banking or cryptocurrency app within a hidden sandbox, a technique that delivers full control and surveillance – without ever installing the apps on the system .