Zimperium’s zLabs team has exposed a troubling evolution in mobile banking malware.
The latest variant of GodFather doesn’t just spoof screens or steal passwords. It builds a world of its own, inside your phone.
This version uses on-device virtualization to hijack real banking and crypto apps. It’s not overlay, it’s not mimicry, it’s full control.
At the heart of the attack is a malicious host app. Once installed, it spins up a virtual environment, downloading a copy of the actual targeted app. When the user opens their banking or crypto app, they’re redirected to this sandbox. Everything appears normal, but inside, every action, every tap, every keystroke is watched and logged by the malware in real time.
It’s clever and deeply invasive.
By running the genuine app in a controlled space, attackers gain total visibility. They intercept credentials, harvest PINs, and bypass security checks. Root detection? Evaded. Static analysis? Outmaneuvered. The malware hides its tracks through ZIP manipulation and by shifting code to the Java layer.
There’s no fake login screen or sloppy copy. Just the real app, only now, it’s working for someone else.
This campaign is wide, with nearly 500 apps in its sights. But the focus, for now, is sharp: a dozen Turkish financial institutions. That’s where the most advanced version of the attack is being deployed.
Compared to earlier research, like “FjordPhantom,” this is a leap forward. GodFather isn’t just mimicking trusted apps, it’s weaponizing them. From usernames to full account takeovers, the damage potential is high, and rising.
What makes this dangerous isn’t just the technique. It’s the betrayal. Users are no longer interacting with a fake. They’re using their real apps in a rigged environment. Trust is gone, and detection is nearly impossible.
With virtualization, the device itself becomes hostile ground. Even legitimate apps can’t be trusted. And in the hands of attackers, that changes the game.
Swift and Brutal
April Lenhard, Principal Product Manager at Qualys, says what we are seeing with GodFather malware is the further evidence of a shifting paradigm in cybersecurity where full account takeover is swift and brutal. “We expect to see an increased use of this class of attack going forward, due in part to our increased reliance on complex hybrid infrastructure. Now more than ever, organizations need to be constantly vigilant and prepared – and to act decisively at the first evidence of suspicious behavior.”
A Breach of Trust
The sophisticated advancement of GodFather banking malware, utilizing advanced on-device virtualization, signifies a significant breach of trust between users and their mobile applications, adds Eric Schwake, Director of Cybersecurity Strategy at Salt Security. “This cunning method enables the malware to fully control legitimate apps, effortlessly capturing credentials and sensitive information during runtime while hooking internal APIs to alter app behavior and circumvent security measures.”
Schwake says this presents a serious threat for organizations beyond standard mobile overlays, as it directly undermines the integrity of financial and cryptocurrency transactions at the user’s device level. “This situation highlights the pressing need for a robust security strategy that protects backend APIs and addresses sophisticated client-side breaches that aim to steal API-enabling credentials and manipulate API-driven interactions from the user’s device’s point of origin.”
A Novel Technique, With Potential
Casey Ellis, Founder at Bugcrowd, says this is definitely a novel technique. “I can see its potential. It will be interesting to see how effectively it actually is in the wild, whether or not the threat actors decide to deploy it outside of Turkiye, and if other threat actors attempt to replicate a similar approach.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.