Your Mobile App, Their Playground: The Dark side of the Virtualization

Executive Summary

Zimperium zLabs has uncovered a sophisticated evolution of the GodFather banking malware that leverages an advanced on-device virtualization technique to hijack several legitimate applications, with a focus on mobile banking and cryptocurrency applications. This method marks a significant leap in mobile threat capabilities, moving beyond traditional overlays to a more deceptive and effective form of attack.

The core of this novel technique is the malware's ability to create a complete, isolated virtual environment on the victim's device. Instead of simply mimicking a login screen, the malware installs a malicious "host" application that contains a virtualization framework. This host then downloads and runs a copy of the actual targeted banking or cryptocurrency app within its controlled sandbox. When a user launches their app, they are seamlessly redirected to this virtualized instance, where every action, tap, and data entry is monitored and controlled by the malware at runtime.

This virtualization technique provides attackers with several critical advantages over previously seen malware. By running the legitimate app inside a controlled environment, attackers gain total visibility into the application's processes, allowing them to intercept credentials and sensitive data in real-time. The malware can be controlled remotely and also use hooking frameworks to modify the behavior of the virtualized app, effectively bypassing security checks such as root detection. In addition to this core technique, GodFather has evolved its evasive maneuvers, employing ZIP manipulation and shifting code to the Java layer to defeat static analysis tools. Crucially, because the user is interacting with the real, unaltered application, the attack achieves perfect deception, making it nearly impossible to detect through visual inspection and neutralizing user vigilance.

The impact of this attack vector is severe. While this GodFather campaign casts a wide net, targeting nearly 500 applications globally, our analysis reveals that this highly sophisticated virtualization attack is currently focused on a dozen Turkish financial institutions. This discovery represents a significant leap in capability beyond previously documented research like "FjordPhantom" and the most recent publicly available analysis reported by Cyble in November 2024. The malware grants attackers the ability to steal a wide range of login credentials, from usernames and passwords to device PINs, ultimately leading to a full account takeover. Ultimately, this virtualization technique erodes the fundamental trust between a user and their mobile applications, rendering the device itself an untrusted environment where even legitimate apps can be turned into tools for espionage and theft.

Technical Analysis

Evasive ZIP Techniques

All the latest samples of GodFather found by our research team are using a very similar technique of ZIP manipulation. Threat actors are altering the ZIP format of APK files (Fig.1) and tampering with the structure of Android Manifest files to bypass static analysis tools and avoid detection.

Specifically, the samples exhibit two key characteristics:

1. General Purpose flag enabled: The APK contains the bit 00 of the General Purpose Flags enabled. This tricks some analysis tools into believing the APK is encrypted and requires a password for decompression, hindering their ability to analyze the file.
2. Adding extra field name: The samples include an additional field name, “$JADXBLOCK” which references an open-source decompiler. This likely serves to further mislead or obstruct analysis.

Fig. 1: Example of Local File Header for AndroidManifest.xml

Accessibility Services, Obfuscation and Code Shift

Just like earlier versions, the latest GodFather malware relies on Android's accessibility services and only a few permissions to commit fraud. But there's a new twist: its Android manifest is now obfuscated with irrelevant permissions and manifest strings, specifically designed to thwart static analysis and challenge reverse engineers. It was also possible to notice that the attackers have moved much of the malicious code from the native layer to the Java layer.

The Same Old Dropper Technique

The malware uses a session based installation technique (Fig. 2) to install the actual payload on the victim’s device, in order to bypass the accessibility permissions restrictions. It presents a message stating (Fig. 3), “You need to grant permission to use all the features of the application”, which is designed to lure victims into unknowingly installing the malware.

The malware hides its main payload in the assets folder. Once a victim falls for the trick and proceeds with the installation, the malware immediately requests accessibility permissions. If these are granted, the malware can then covertly grant itself additional permissions by overlaying content on the screen, all without the user's awareness or consent.

Fig. 2: The launcher install the asset apk using session based installation          

Fig. 3: The application request for accessibility and device app and notification permission

C&C Communication

The GodFather malware keeps all its critical information, such as its C2 communication details and a list of targeted banks, in its shared preference. A Base64-encoded C2 URL is embedded within these preferences, allowing the malware to connect to its command server (Fig. 4).

Fig. 4: Malicious C&C in Base64

Once a victim grants accessibility permissions, the malware immediately sends information about the screen to the server, including detailed tap events captured by the Accessibility Service (Fig.5). This means that GodFather has the ability to essentially "see" every touch, swipe, and tap that the user makes on the screen, regardless of which app is currently open.

Fig. 5: Some information collected from accessibility is sent to the C2

Uncovering New Capabilities

Overlay Using Virtualization and Hooking Frameworks

The Malware is assembled using several legitimate open-source tools like Virtualapp, Xposedbridge, XposedInstaller, Xposed to execute its overlay attacks. It exploits the legitimate capabilities of these tools, like their ability to virtualize apps in sandboxed environments and hook into specific application programming interfaces (APIs), both to ensure its malicious code runs smoothly in these virtual spaces and to extract crucial data.

How does virtualization work?

The approach used by GodFather relies on a virtualization technique in which a single app acts as a container potentially capable of running multiple other apps. These secondary apps referred to as hosted apps are not installed directly onto the Android system. Instead, they are placed within a virtual filesystem (Fig. 7) managed by the host app. When one of these hosted apps is launched, the host creates a new process (Fig. 6), loads the hosted app into it, and then executes it. 

The process responsible to execute the virtualized app is com.heb.reb:va_core.

Fig. 6: List of process when the app virtualized is running

Fig. 7: Malware creating virtual environment inside the host app

GodFather Malware: A Toolkit for Overlay Attacks

GodFather first gathers a list of all applications installed on the victim's device, specifically checking for a predetermined list of targeted apps (Fig.8).

Fig. 8: List of installed apps sent to the C2

If any of the below listed applications are already installed on the victims device, then the malware downloads and installs (Fig. 9) Google playstore,Google play services and Google Services Framework APK and writes it to the virtual folder (Fig. 10).

Fig. 9: Downloading playstore,play services,Google Services Framework APK’s

Fig. 10: Information on the virtual environment created

Table 1: List of banks that are targeted by the malware

The malware extracts essential information from targeted banking applications already installed on the device. It then uses this data to generate a cache file named package.ini, which contains all the necessary details to launch these specific banking apps within its virtual environment while preserving user sessions.

The malware follows a precise, multi-step process for this:

1. APK parsing: analysis of the APKs of the targeted apps
2. Private Space Preparation: The malware sets up a dedicated, private space within its virtual environment and copies over all the files needed for the banking application to run there.
3. Completion Notification: It signals that these preparatory steps are complete.

Information gathered from the targeted applications operating within the virtual environment is subsequently converted into a serializable format (Fig. 11).

Fig. 11: Package.ini and signature.ini files created in the application folder

This serialized data is cached as package.ini and certificate.ini files on disk (Fig. 12).

Fig. 12: All the necessary components inside the package.ini to launch the banking app

Once the package.ini file is populated with key data from the legitimate banking application—such as its package name, libraries, and other components—the malware is ready to launch the virtualized version.

When victims attempt to use their original banking app, the GodFather malware mimics their actions and redirects them to its StubActivity, leveraging the accessibility service to achieve this seamless, deceptive launch.

Whenever the victim attempts to open the real banking application (Fig. 13), the malware intercepts the original Intent to launch the legitimate app and generates a fake Intent that launches a virtual app designed to mimic the banking application (Fig. 14)

Fig. 13: Original Banking application intent

Fig. 14:  Fake intent to launch the Virtual app to mimic the banking application

The malware first replaces the system's standard Activity Manager with its own custom proxy. With this control, it dictates how applications launched from its virtualized environment (VApp) behave.

It finely tunes launch behaviors within this virtual space, managing aspects like:

• The activity's launch mode (standard or singleTask).
• Whether to reuse an existing task or initiate a new one.
• If it should deliver a new intent or spawn a new process.

Additionally, the malware assigns a virtual process ID (vpid) to the activity. It then picks a placeholder "stub" activity (Fig. 15) from the main host application to act as a bridge, enabling the virtualized app's true activity to execute within the host environment. This entire process is key to how the malware seamlessly integrates and runs its deceptive banking apps.

Fig. 15: Stub activity where the virtualized app mimics the target bank 

Hooking Methods to Harvest Credentials

The malware is designed in a way that hooks different methods depending on the banking application (Fig. 16).

Fig. 16:  Different hooks depending on the target app virtualized 

The code on Fig. 17 uses Xposed hooking framework to intercept and manipulate the network connections. Specifically, it hooks the build() method of the OkHttpClient.Builder class, which is part of the popular OkHttp networking library used by many Android apps for handling HTTP requests. When a targeted app attempts to instanciate its OkHttp client, this hook injects a custom interceptor into the client’s configuration. The injected interceptor is a dynamically generated proxy object that allows the malware to log network requests and responses made by the app.

Fig. 17:  Network hooks used by the malware

The malware customizes its data interception strategy based on the specific banking app it's targeting. It does this by checking for unique identifiers within the app's package name. Once a particular bank app is detected, the malware creates a specialized, malicious InterceptorHandler designed to intercept and record sensitive information specifically from that application. This capability provides a direct pathway for attackers to capture and exfiltrate sensitive data, including user credentials. 

At runtime, GodFather intercepts and modifies the behavior of key APIs, such as getEnabledAccessibilityServiceList (Fig. 18).

Fig. 18:  Hooking the getEnabledAccessilibityServiceList API

This API returns a list of active accessibility services and is commonly used by banking apps to detect screenreaders or malicious services that are “observing” the screen. The malware hooks these methods to return back an empty list (Fig. 19), hiding themselves and all the other active services.

Fig. 19:  Return an empty list for this method

Stealing via the Device Lock Screen

A particularly alarming capability uncovered in the GodFather malware is its capacity to steal device lock credentials, irrespective of whether the victim uses an unlock pattern, a PIN, or a password. This poses a significant threat to user privacy and device security. 

This means that even a robust lock screen offers little protection against GodFather. The malware doesn't attempt to guess the lock, instead, it deploys a deceptive overlay (Fig. 20) designed to trick the user into revealing their credentials. This overlay likely mimics the appearance of a legitimate lock screen or appears within an application prompting for such sensitive information. When a user interacts with this malicious overlay by inputting their pattern, PIN, or password, the malware records these critical details.

Fig. 20:  Overlay shown to the victim to steal credentials

Remote Control The Device

To control infected devices and carry out its malicious operations, the GodFather malware relies on a specific set of commands. These commands dictate the malware's behavior, allowing threat actors to remotely manage various functionalities. The table below details all the commands currently supported by the GodFather malware, outlining their purpose and enabling a clearer understanding of its capabilities.

Table 2: List of commands used by GodFather

Classical Overlay Approach

Beyond its advanced virtualization techniques, the GodFather malware also continues to employ traditional overlay attacks, placing deceptive screens directly over legitimate applications (Fig. 21). This dual approach highlights the threat actors' remarkable adaptability in their methods. Investigations have revealed approximately 484 targeted applications, with the specific targets being received from the C2 server in a Base64-encoded format.

Fig. 21: Traditional overlay received from server 

List of Targeted Apps

​The list of applications represents a significant and widespread targeting effort (hundreds of popular applications), compromising major applications used by hundreds of millions of people globally. The targets can be categorized into several key verticals:

Global Payments, E-commerce, and Services

The campaign targets top-tier global brands that are household names in digital commerce and services. This includes leading digital payment platforms with hundreds of millions of active users and billions of downloads, as well as the world's most popular online shopping apps. The list also extends to major online auction sites, widely-used ride-sharing and food delivery services, and top-tier media streaming platforms, indicating a broad effort to capture credentials across a wide swath of daily digital life.

Global Social Media and Communication

The malware targets the world's most popular communication platforms. This includes the leading encrypted messaging service with over five billion downloads, as well as the dominant social media messaging and photo-sharing apps, each with billions of users. Compromising these platforms gives threat actors access to a massive and deeply personal set of user data.

Financial and Banking Applications (Global)

The targeting is exceptionally comprehensive in the banking sector, covering major financial institutions across North America, Europe, and Turkey. In the United States, the list includes nearly every major national bank, prominent investment and brokerage firms, and popular peer-to-peer payment apps. In the United Kingdom and Canada, the largest and most widely used retail and commercial banking applications are targeted. The campaign is also extensive across Europe, with major banks in Germany, Spain, France, and Italy included in the target list.

Cryptocurrency Exchanges and Wallets

This is one of the most exhaustive target categories, highlighting a clear focus on stealing digital assets. The malware targets over 100 distinct cryptocurrency applications. This includes the world's largest and most popular crypto exchanges, each serving tens of millions of users. The list also includes dozens of the most widely used software and mobile wallets for storing digital assets, as well as the official companion apps for leading hardware wallets. This widespread effort indicates a strategic goal to compromise users across the entire crypto ecosystem, from casual investors to seasoned traders.

MITRE ATT&CK Techniques

To help our customers and the industry understand the impact of this malware, Zimperium has compiled the following table containing the MITRE Tactics and Techniques as reference. 

IOCs

The list of IOC’s can be found here GodFather IOC's