- Zimperium spots new version of Godfather among Turkish Android users
- New version creates virtualized versions of legitimate banking apps in a sandbox
- It can exfiltrate login credentials, PIN codes, and unlock patterns
The notorious Godfather malware for Android phones is back with a vengeance, experts have warned, targeting victims with an upgraded build which makes it more dangerous than ever.
Cybersecurity researchers Zimperium claim to have seen an updated version of the infamous malware in the wild, and this one is even more dangerous as it simplifies things while evading detection even better.
Godfather is a banking trojan, used to steal money out of people’s bank accounts. Earlier variants worked as an overlay - placing an invisible layer on top of legitimate banking apps. Therefore, when victims bring up their apps and start typing in their login credentials, these would be picked up by the overlay and sent to the attackers, who would later log into the app and make cash withdrawals.
Virtualization attacks
The new version, however, ditches the overlay approach for something even more sinister - creating a virtualized version of the app.
On the compromised devices, the malware would launch a virtual instance of the banking app inside a sandbox. That way, the malware doesn’t even need to ask for excessive permissions in order to conduct wire fraud, and means victims may not even trust the legitimate apps they have installed.
When the victim gets infected, the malware first analyzes the installed apps and looks for a banking one that fits.
If it finds one, it creates a virtualized version that launches whenever the victim tries to bring up the legitimate one.
Besides stealing login credentials, Godfather can exfiltrate PIN codes and unlock patterns, and can remotely control the device during off-hours (in the middle of the night, for example), making wire transfers while the victim is asleep.
Zimperium says it has only observed Godfather among Turkish Android users so far, but it warned that the malware operators can pivot towards the West at any time, so banking users everywhere should be on their guard.
Via InfoSecurity
More from TechRadar Pro
- Experts warn GTA and Minecraft being used to lure in cyberattack victims - here's how to stay safe
- Take a look at our guide to the best authenticator app
- We've rounded up the best password managers
