a hacker trying to login a banking mobile

Targeting Banking and Cryptocurrency Apps


The malware primarily focuses on mobile banking and cryptocurrency applications, demonstrating a calculated approach to maximizing financial gain through technological innovation. Its core innovation lies in the ability to install a malicious host application that contains a comprehensive virtualization framework.

Instead of merely displaying fake login screens over legitimate applications, the malware downloads and executes actual copies of targeted banking or cryptocurrency apps within its controlled sandbox environment. When users attempt to launch their legitimate applications, they are seamlessly redirected to these virtualized instances, where every interaction, keystroke, and data entry is monitored and controlled in real-time by the malicious actors.

a hacker trying to login a banking mobilea hacker trying to login a banking mobile

Global Reach and Evasive Techniques


Zimperium researchers identified this sophisticated campaign as targeting nearly 500 applications worldwide, with a particular focus on Turkish financial institutions. The security firm’s zLabs division uncovered that this virtualization technique provides attackers with unprecedented visibility into application processes, enabling real-time credential interception and bypassing traditional security mechanisms such as root detection.

The malware’s evolution includes enhanced evasive capabilities through ZIP manipulation and code migration to the Java layer, specifically designed to defeat static analysis tools used by security researchers.

A man looking at phone another side mobile screen shows android logo and bank iconA man looking at phone another side mobile screen shows android logo and bank icon

Comprehensive Access and Deceptive Interactions


The impact of this attack vector extends far beyond conventional mobile threats. The malware grants attackers comprehensive access to login credentials, including usernames, passwords, and device PINs, ultimately facilitating complete account takeover scenarios. Most concerning is the attack’s perfect deception capability, as users interact with genuine, unaltered applications within the virtualized environment, making detection through visual inspection nearly impossible and effectively neutralizing user vigilance as a defense mechanism.

This discovery represents a substantial advancement beyond previously documented research, including earlier malware families like FjordPhantom and recent analyses published in November 2024. The technique fundamentally undermines the trust relationship between users and their mobile applications, transforming the device itself into an untrusted environment where legitimate applications become tools for espionage and theft.

 

Advanced Virtualization and Hooking Framework Implementation


The technical architecture of GodFather’s virtualization attack relies on legitimate open-source tools, including Virtualapp, Xposedbridge, XposedInstaller, and Xposed frameworks, to execute its sophisticated overlay operations. The malware exploits these tools’ legitimate capabilities to create sandboxed environments and hook into specific application programming interfaces, ensuring smooth operation of malicious code within virtual spaces while extracting critical user data.

The virtualization process operates through a container-based approach, where a single application hosts multiple secondary applications within a virtual filesystem managed by the host. When targeted applications launch, the host creates new processes identified as “com.heb.reb:va_core” and loads hosted applications within them.