- Experts warn of malware running real apps in fake virtual environments
- GodFather bypasses security checks and overlays fake screens to steal credentials
- Targets banking and crypto apps globally with nearly invisible techniques
Zimperium zLabs has uncovered a new version of the GodFather malware that uses on-device virtualization to hijack real banking and cryptocurrency apps.
Unlike older attacks that showed fake login screens, this malware launches the actual apps in a virtual space where attackers can see everything the user does.
The attack begins with a host app that includes a virtualization tool – this host app downloads the targeted banking or crypto app and runs it in a private environment.
Moving beyond simple overlays
When users open their app, they are unknowingly redirected into the virtual version. From there, every tap, login, and PIN entry is tracked in real time.
Because the user is interacting with a real app, it is almost impossible to spot the attack by looking at the screen.
GodFather also uses ZIP tricks and hides much of its code in a way that defeats static analysis. It requests accessibility permissions and then silently grants itself more access, making the attack smooth and hard to detect.
“Mobile attackers are moving beyond simple overlays; virtualization gives them unrestricted, live access inside trusted apps,” said Fernando Ortega, Senior Security Researcher, Zimperium zLabs.
“Enterprises need on-device, behavior-based detection and runtime app protection to stay ahead of this shift toward a mobile-first attack strategy.”
Zimperium’s analysis shows that this version of GodFather is focused on Turkish banks, but the campaign targets almost 500 apps globally. These include financial services, cryptocurrency platforms, e-commerce, and messaging apps.
The malware checks for specific apps on the device, clones them into the virtual space, and uses the cloned version to collect data and track user behavior.
It can also steal device lock screen credentials using fake overlays that look like system prompts.
Attackers can control the infected phone remotely using a set of commands. These can perform swipes, open apps, change brightness, and simulate user actions.
How to stay safe
- Avoid installing apps from unknown sources – always use official stores like Google Play.
- Check app permissions carefully. If an app asks for accessibility access or screen overlay permissions without a clear reason, uninstall it immediately.
- Keep your phone’s operating system updated.
- Use mobile security tools from trusted developers.
- Avoid sideloading APK files, even if shared by someone you know.
- Rebooting your phone regularly can help thwart any persistent malware.
- Pay attention to unusual behavior, such as faster than usual battery drain and weird, unexpected overlays.
- If your banking app ever looks different or asks for login more often than usual, stop using it and contact your bank.