While malware evolves to be more sophisticated, see should not always be equal to believe. A new iteration of “sponsoring” malicious “software found on Android diverts legitimate banking applications, which makes detection increasingly difficult for users (and on devices).
A first version of Godfather used screen superposition attacks, which have placed fraudulent HTML connection screens in addition to banking and crypto exchange applications, encouraging users to enter identification information for their financial accounts. It was detected for the first time on Android in 2021 and was estimated to target several hundred applications in more than a dozen countries.
The new threat, discovered by the Zimperium security company, is the virtualization of Godfather, which allows malicious software to create a complete virtual environment on your device rather than simply usurping a connection screen. He does so by installing a malicious “host” application, which analyzes targeted financial applications, then downloads copies that can run in his virtual sandbox.
If you open one of these targeted applications, the godfather redirects you to the virtual version. You will see the real banking interface, but anything that happens inside can be intercepted and manipulated in real time. As the Bleeping computer notes, this includes harvesting account identification information, passwords, pins and capture responses from the bank’s back. In addition, malware can remotely control your device, in particular by launching transfers and payments inside the banking or crypto application, even when you do not use it.
This threat is serious not only because it is difficult for users to detect visually, but also because it can escape safety controls on devices such as root detection. Android protections only see the activity of the host application while malicious software remains hidden.
What do you think so far?
How to protect your godfather from the godfather
According to Zimperium, while the current campaign affects nearly 500 applications, it mainly focused on banks in Türkiye. That said, it could easily spread to other countries, as did the previous version.
To protect against the godfather and any other malware targeting your Android device, download and install applications only from trust, such as Google Play Store. You can change the authorization settings for unknown sources under Settings> Applications> Special Applications Access> Install unknown applications. You must make sure that Google Play Protect, which analyzes applications for malware, is activated and that your device and your applications are up to date. It would also be a good time to audit the applications you have on your device and delete everything you don’t use or no need.
Since the attack mechanism of Godfather is so sophisticated, you must also follow other basic best practices to avoid malicious software in the first place. Never open the attachments or click links in emails, SMS or publications on social networks, and avoid clicking on ads, which are used to spread malware.
