As malware evolves to be more sophisticated, seeing should not always equal believing. A new iteration of the “Godfather” malware found on Android is hijacking legitimate banking apps, making it increasingly difficult for users (and on-device protections) to detect.
An early version of Godfather utilized screen overlay attacks, which placed fraudulent HTML login screens on top of legitimate banking and crypto exchange apps, tricking users into entering credentials for their financial accounts. It was first detected on Android in 2021 and was estimated to target several hundred apps across more than a dozen countries.
The new threat, uncovered by security firm Zimperium, is Godfather's virtualization, which allows the malware to create a complete virtual environment on your device rather than simply spoofing a login screen. It does so by installing a malicious “host” application, which scans for targeted financial apps and then downloads copies that can run in its virtual sandbox.
If you open one of those targeted apps, Godfather redirects you to the virtual version. You'll see the real banking interface, but everything that happens within it can be intercepted and manipulated in real time. As Bleeping Computer notes, this includes harvesting account credentials, passwords, PINs, and capture responses from the bank's back end. Further, the malware can control your device remotely, including initiating transfers and payments inside the banking or crypto app, even when you're not using it.
This threat is severe not only because it is difficult for users to detect visually, but also because it can evade on-device security checks like root detection. Android protections see only the host app's activity while the malware's remains hidden.
What do you think so far?
How to protect your device from Godfather
According to Zimperium, while the current campaign affects nearly 500 apps, it has primarily focused on banks in Turkey. That said, it could easily spread to other countries, as the previous version did.
To protect against Godfather and any other malware targeting your Android device, download and install apps only from trusted sources, like the Google Play Store. You can change permission settings for unknown sources under Settings > Apps > Special app access > Install unknown apps. You should ensure Google Play Protect, which scans apps for malware, is enabled, and that your device and apps are kept up to date. Now would also be a good time to audit the apps you have on your device and delete any you don't use or don't need.
Since Godfather's attack mechanism is so sophisticated, you should also follow other basic best practices for avoiding malware in the first place. Never open attachments or click links in emails, texts, or social media posts, and avoid clicking ads, which are used to spread malware.
