“I’m gonna make you click on a fake app you can’t refuse.”
The GodFather banking malware is back, and it’s got a new trick up its sleeve.
The first version of GodFather used screen overlay attacks, displaying fake HTML login screens on top of legitimate banking and crypto exchange apps. The new version of GodFather leverages on-device virtualization to hijack a mobile platform completely. The key to this new approach is that the malware creates an isolated virtual environment on the victim’s device.
Instead of spoofing a login screen, the malware installs a malicious host app that includes a virtualization engine. The virus then downloads and executes a copy of the actual application for the targeted bank or crypto exchange on its “sandbox.”
When the victim opens the app, they’re sent to the virtual version, from which the attackers can watch them in action. You’ll see the legitimate banking interface, but everything happening within it can be intercepted and tampered with in real time.
Able to steal login credentials, PINs, and even capture responses from the backend, the malware’s approach allows the virus to completely hijack legitimate apps and steal credentials and data during runtime with ease.
No country for old permissions
Virtualization is the key to the malware’s operation. First, it identifies the installed apps on the device and looks for matches to the targeted applications. If matches are found, it extracts the relevant details and installs a copy of the apps inside a virtual environment in the dropper app.
GodFather hijacks the launch action and opens the sandboxed version instead. That way, the attackers can use the app just like a regular user. The malware can even control the device remotely, making transfers in banking or crypto apps without the user’s consent.
The malware’s capability to steal device lock credentials (whether pattern, PIN, or passcode) is an especially concerning capability. That level of access represents a major escalation in the capabilities of mobile malware. The updated GodFather also includes an ability to bypass static analysis tools by manipulating ZIP files and stuffing the AndroidManifest with unrelated permissions.
GodFather’s move toward virtualization is part of a broader trend in which device-level manipulation has become as sophisticated as backend compromises.
Ghost in the phone
AntiDot is being sold as a Virus-as-a-Service on the dark web and has been tied to a broad range of mobile campaigns. Like other Android trojans, it can do overlay attacks, keystroke logging, and remotely control compromised devices using Android’s MediaProjection API. AntiDot is advertised as a “three-in-one” kit that includes screen recording, SMS interception, and exfiltrating data from other apps.
One notable feature of AntiDot is tracking launched applications and triggering a fake login prompt when a crypto or payment app is opened. Once launched, it displays a fake update bar and asks the victim to grant accessibility permissions. It abuses those permissions to monitor the screen content and sets itself as the default SMS platform to see incoming and outgoing messages. It can also track calls, block them, or redirect them, thus opening new attack avenues.
AntiDot also takes advantage of real-time notification controls to hide alerts and prevent them from raising suspicion. The control panel is based on MeteorJS, an open-source JavaScript framework that enables real-time communication. AntiDot is a scalable and stealthy MaaS platform that’s designed for long-term mobile control and profit.
This GodFather campaign casts a wide net, but it’s now targeting a dozen Turkish financial institutions. Nearly 500 apps have been targeted, though previous versions were seen globally.
The malware’s behavior is indistinguishable from a legitimate user, so fraud prevention systems have a hard time identifying it. It’s challenging for users and mobile protections to spot the threat visually.
Silence of the scams
GodFather also uses accessibility services to spy on users and take over their devices. Android’s built-in protections only scan the host application, while the malware payload remains hidden. A similar virtualization technique was used in a previous Android malware called FjordPhantom.
Companies cannot rely on backend defenses alone and must prepare for attacks that originate from the user’s device. Preventing privilege escalation and securing the Android ecosystem requires a proactive, scalable, and intelligent protection system.
Stay informed and secure
Get the latest insights on emerging cyber threats and in-app security measures to protect your banking apps. Stay one step ahead of hackers by signing up for our newsletter now!
Written by
Jon Samsel
Head of Cybersecurity Business and Global Marketing
Commentary
The GodFather Malware Strikes Back
Table of Contents
“I’m gonna make you click on a fake app you can’t refuse.”
The GodFather banking malware is back, and it’s got a new trick up its sleeve.
The first version of GodFather used screen overlay attacks, displaying fake HTML login screens on top of legitimate banking and crypto exchange apps. The new version of GodFather leverages on-device virtualization to hijack a mobile platform completely. The key to this new approach is that the malware creates an isolated virtual environment on the victim’s device.
Instead of spoofing a login screen, the malware installs a malicious host app that includes a virtualization engine. The virus then downloads and executes a copy of the actual application for the targeted bank or crypto exchange on its “sandbox.”
When the victim opens the app, they’re sent to the virtual version, from which the attackers can watch them in action. You’ll see the legitimate banking interface, but everything happening within it can be intercepted and tampered with in real time.
Able to steal login credentials, PINs, and even capture responses from the backend, the malware’s approach allows the virus to completely hijack legitimate apps and steal credentials and data during runtime with ease.
No country for old permissions
Virtualization is the key to the malware’s operation. First, it identifies the installed apps on the device and looks for matches to the targeted applications. If matches are found, it extracts the relevant details and installs a copy of the apps inside a virtual environment in the dropper app.
GodFather hijacks the launch action and opens the sandboxed version instead. That way, the attackers can use the app just like a regular user. The malware can even control the device remotely, making transfers in banking or crypto apps without the user’s consent.
The malware’s capability to steal device lock credentials (whether pattern, PIN, or passcode) is an especially concerning capability. That level of access represents a major escalation in the capabilities of mobile malware. The updated GodFather also includes an ability to bypass static analysis tools by manipulating ZIP files and stuffing the AndroidManifest with unrelated permissions.
GodFather’s move toward virtualization is part of a broader trend in which device-level manipulation has become as sophisticated as backend compromises.
Ghost in the phone
AntiDot is being sold as a Virus-as-a-Service on the dark web and has been tied to a broad range of mobile campaigns. Like other Android trojans, it can do overlay attacks, keystroke logging, and remotely control compromised devices using Android’s MediaProjection API. AntiDot is advertised as a “three-in-one” kit that includes screen recording, SMS interception, and exfiltrating data from other apps.
One notable feature of AntiDot is tracking launched applications and triggering a fake login prompt when a crypto or payment app is opened. Once launched, it displays a fake update bar and asks the victim to grant accessibility permissions. It abuses those permissions to monitor the screen content and sets itself as the default SMS platform to see incoming and outgoing messages. It can also track calls, block them, or redirect them, thus opening new attack avenues.
AntiDot also takes advantage of real-time notification controls to hide alerts and prevent them from raising suspicion. The control panel is based on MeteorJS, an open-source JavaScript framework that enables real-time communication. AntiDot is a scalable and stealthy MaaS platform that’s designed for long-term mobile control and profit.
This GodFather campaign casts a wide net, but it’s now targeting a dozen Turkish financial institutions. Nearly 500 apps have been targeted, though previous versions were seen globally.
The malware’s behavior is indistinguishable from a legitimate user, so fraud prevention systems have a hard time identifying it. It’s challenging for users and mobile protections to spot the threat visually.
Silence of the scams
GodFather also uses accessibility services to spy on users and take over their devices. Android’s built-in protections only scan the host application, while the malware payload remains hidden. A similar virtualization technique was used in a previous Android malware called FjordPhantom.
Companies cannot rely on backend defenses alone and must prepare for attacks that originate from the user’s device. Preventing privilege escalation and securing the Android ecosystem requires a proactive, scalable, and intelligent protection system.
Stay informed and secure
Written by
Jon Samsel
Head of Cybersecurity Business and Global Marketing
Share this cybersecurity insight
Other cybersecurity insights
Cybersecurity Threat Roundup #22: Copybara, Crocodilus, Lucid, and more
SparkKitty: A Silent Threat in ‘Trusted’ Apps
WestJet Breach Shows Why Downtime Is a Business Killer
Darcula’s Digital Playbook: The Global Scam That’s Redefining Mobile Threats