Android malware Godfather is back with a new virtualization tactic to steal banking data

Android malware Godfather is back with a new tactic. It creates a virtual environment on the device to silently steal logins, passwords, and transactions in real banking apps. Zimperium analysts have discovered a new version of the Android malware *Godfather* that attacks mobile banking apps, cryptocurrency wallets, and e-commerce platforms by simulating the working environment of real apps.

Using the VirtualApp and Xposed tools, Godfather creates an isolated virtual environment directly on the user’s device. Attackers launch real banking apps in this environment, fooling the Android system via *StubActivity*. The user sees the interface “as usual,” but all actions — from taps to PIN entry — are intercepted by the malware. At the right moments, Godfather displays fake lock or update screens while data theft or even financial transfers are carried out in the background.

Godfather was first discovered in 2021, and in 2022 it had already attacked 400 applications in 16 countries, using HTML overlays to steal data. In the new version, the attackers are attacking at least 500 applications, including in Turkey, and are using full virtualization to bypass Android protections. This approach was reminiscent of a similar attack in 2023 by the *FjordPhantom* malware, which also used containerization to infiltrate banking applications in Southeast Asia.

Godfather is a prime example of how attackers are combining legitimate open-source technologies with sophisticated attack patterns to bypass mobile protections. Users should be especially careful when downloading APKs from untrusted sources, carefully check permissions, and enable Play Protect. Increasingly, security is not a technology, but a habit.