A sophisticated new Android banking trojan, dubbed “Godfather,” is actively targeting mobile users by employing an advanced virtualization technique to bypass security measures. This malware, a variant of the Anubis family, sets itself apart by operating within a seemingly legitimate virtual space application on the compromised device.
Godfather primarily targets over 220 financial applications, including banking and cryptocurrency services, across 16 countries, with a significant focus on the United States, Canada, and European nations.
The core of its attack lies in web overlay attacks. Once installed (often disguised as a harmless app), it monitors for targeted banking apps to be opened. Instead of launching the malicious overlay directly on the main system, it leverages the virtualization layer. It can load malicious APKs inside this virtual environment. When a user opens a target app, Godfather overlays a fake login screen within the virtual space, capturing the user’s credentials and other sensitive information.
Operating within this isolated virtual environment makes detection more challenging for traditional security software that might scan the main system. Beyond credential theft, this malware has capabilities to intercept SMS messages (crucial for 2FA codes), disable Google Play Protect, steal contact lists, and potentially download further malicious payloads.
The use of virtualization represents a significant evolution in Android malware tactics, highlighting the need for users to be extremely cautious about app installations and device security. This sophisticated threat underscores the ongoing arms race between malware developers and cybersecurity defenses.
Source: https://www.bleepingcomputer.com/news/security/godfather-android-malware-now-uses-virtualization-to-hijack-banking-apps/
