GodFather malware poses new threat to Android banking apps

Security researchers at Zimperium zLabs, a mobile security software provider, have uncovered a sophisticated evolution of the “GodFather” banking malware, which employs an advanced on-device virtualization technique to hijack legitimate mobile applications, with a significant focus on banking and cryptocurrency apps.

This malware is substantially more dangerous than many existing mobile device threats, according to the zLabs analysis, because it exploits and controls legitimate banking apps rather than spoofing them.

Which banking and crypto apps are being targeted

While the researchers did not publish the complete list of targeted applications, they said that, in the U.S., the malware targets “nearly every major national bank,” according to the analysis, as well as “prominent investment and brokerage firms” and “popular peer-to-peer payment apps.”

The research group said it also targets major financial institutions across Europe, especially in Turkey.

For U.S. banks and credit unions, the emergence of advanced malware like GodFather underscores the importance of robust mobile security strategies. While the newest attack found by zLabs impacts the Android operating system, the evolving threat landscape and regulatory shifts that could open up platforms traditionally considered more “closed” may introduce new attack vectors.

What is GodFather malware and why is it dangerous?

The GodFather malware operates by installing a malicious “host” application on a victim’s device that contains a virtualization framework. This host then downloads and runs a copy of the actual targeted banking or cryptocurrency application within its controlled sandbox environment.

When a user launches their legitimate app, the malware seamlessly redirects them to this virtualized instance, where it monitors and controls every action, tap and data entry in real time.

This technique provides attackers with “total visibility into the application’s processes,” according to zLabs, allowing them to intercept credentials and sensitive data instantaneously.

Because users interact with the real, unaltered application, the attack achieves “perfect deception,” making it nearly impossible to detect through visual inspection, according to the analysis.

Beyond its virtualization capabilities, GodFather also uses some traditional overlay attacks, which place deceptive screens over legitimate applications.

Android vs. iOS: A security reality check for banks

The security measures implemented by mobile operating systems like Android and iOS differ significantly, impacting their susceptibility to such threats.

Android’s open-source nature allows for greater customization and flexibility, but also exposes it to a wider range of security vulnerabilities, which have long been targeted by threat actors.

Google Play Protect, Google’s on-device protection service, scans devices daily for potentially harmful applications, or PHAs, regardless of where they were downloaded. It can automatically disable or remove severe PHAs and offers real-time checks for apps installed from outside Google Play.

However, automated malware detection such as Google Play Protect is often limited by what vulnerabilities are publicly known and cannot detect zero-day vulnerabilities that have not been disclosed.

Developers — such as banks building digital banking apps — can also use the Play Integrity API to verify if their app binary is genuine and running on a genuine Android-powered device.

Despite these measures, Android’s fragmentation, where updates are often stalled by manufacturers, can increase the risk of security breaches.

Third-party app stores on Android “typically have insufficient review processes,” which can lead to malware-laden applications, according to an analysis by security company Astra.

Apple’s iOS is known for its closed-source code and walled garden approach, which generally creates a stable and secure environment by only allowing vetted applications into the Apple App Store — though some malicious apps still make it through this review process.

Apple reviews “every single app and each app update,” according to its support pages, to evaluate whether it meets privacy, security and safety requirements, aiming to “protect users by keeping malware, cybercriminals, and scammers out of the App Store.”

This review process includes automated scans for known malware, human review of app descriptions and manual checks to ensure apps do not unnecessarily request access to sensitive data.

While generally secure, iOS is “not immune to security vulnerabilities,” according to Astra. A potential security breach at Apple could affect all iOS devices, and the reliance on a single app store “amplifies the possibility of a single point of failure.”

Researchers at Cybernews observed that iPhones, even with Chinese apps installed, rarely contacted servers in China while idle, suggesting stricter Apple policies might be a factor. However, “Without closely examining each data packet sent by the iPhone app, it’s impossible to tell what’s in it,” and “nothing is completely safe,” the researchers said.

How new regulations could open the door to more attacks

Both Apple and Google face increasing regulatory scrutiny in the U.S. and Europe concerning their control over app distribution and payment systems, which could reshape mobile security landscapes. In the U.S., Apple and Google face antitrust lawsuits from the Justice Department challenging their market control.

Proposed legislation, such as the “App Store Freedom Act,” aims to weaken their dominance by requiring app stores with over 100 million U.S. users to “allow users to set third-party apps or app stores as default; install apps or app stores outside of the dominant platform; and remove or hide pre-installed apps,” according to Kat Cammack, a Republican member of the U.S. House of Representatives representing Florida.

Cammack’s bill would also prohibit app store owners from requiring exclusive use of their in-app payment systems and prevent them from sanctioning developers for offering lower prices outside the marketplace — a major point of litigation on which Apple has been losing in recent months.

The European Union has taken its own approach with the Digital Markets Act, or DMA, designating Apple and Google as so-called “gatekeepers” that are subject to clear rules around third-party app stores.

The DMA requires such gatekeepers to “allow third parties to inter-operate with the gatekeeper’s own services” and “allow their business users to promote their offer and conclude contracts with their customers outside the gatekeeper’s platform,” according to the European Commission, the body that writes EU-wide laws.

The DMA also prohibits gatekeepers from “prevent[ing] users from un-installing any pre-installed software or app if they wish so,” said the commission.

In response, Apple is introducing changes in the EU, allowing app store developers to communicate and promote offers for digital purchases available at destinations of their choice, including alternative app marketplaces or websites.

Additionally, iOS and iPadOS will provide an updated user experience for installing alternative marketplaces or apps from a developer’s website. Apple previously argued that such measures would cause severe security issues.