Godfather malware returns to Android

A new version of the Godfather banking malware has been found on Android, using advanced on-device virtualization techniques to hijack several legitimate apps. It first appeared in 2021, but the new version is much more dangerous, Android Headlines reports.

In its first deployments, Godfather was spotted in 16 countries and was used to steal banking information for over 400 online banking sites and cryptocurrency exchanges. Now, cybersecurity researchers at Zimperium say that Godfather is back and even better at avoiding re-emergence.

Previous variants of the malware worked as an overlay – placing an invisible layer on top of banking apps, trying to trick users into providing their banking details. In the new version, Godfather creates a virtualized version of the app, which allows it to analyze apps on a smartphone without requiring various permissions.

On infected smartphones, the program will create a virtualized version of the application that will run every time users open a legitimate application. Through this approach, attackers can obtain not only banking data, but also PIN codes and unlock patterns.

By being able to retrieve unlock patterns, Godfather can also be used to remotely control a device when the user is not using it, allowing fraudsters to make bank transfers without the victim's knowledge.

So far, Godfather has only been spotted in Turkey, but there is no guarantee that it will not spread to other regions in the future.