GodFather Android malware hijacks banking apps to steal data
A new evolution of the GodFather Android malware is raising serious concerns in the cybersecurity world. This latest version does not rely on fake login screens or overlays. Instead, it uses a virtualization technique to run legitimate banking apps inside a sandboxed environment on infected devices. While users believe they are interacting with their actual apps, the malware is silently capturing every detail.
The upgraded version was recently discovered by researchers at Zimperium zLabs, who found that GodFather now uses advanced virtualization to hijack real banking and crypto apps and steal sensitive data directly from them.
A new level of deception
The updated GodFather malware creates a fake but functional version of a victim’s banking or financial app using virtualization. When the user opens the app, they are unknowingly interacting with a controlled environment that looks and feels identical to the real thing. This allows the malware to capture login credentials, two-factor authentication codes, and other sensitive data with minimal user suspicion.
This method is more effective than traditional overlay attacks because everything appears normal to the victim.
Targeting financial apps globally
Researchers have observed the malware targeting over 400 banking and cryptocurrency apps in more than a dozen countries. Victims are primarily located in Europe, North America, and Asia. The malware is typically disguised as a legitimate app, such as a productivity tool or game, and asks for extensive permissions after installation.
Once installed, GodFather uses Android’s Accessibility Services to monitor screen content and user input. When a targeted app is launched, the malware activates its sandboxed version and begins recording the session.
More than just login credentials
In addition to usernames and passwords, GodFather can intercept one-time passcodes, SMS-based two-factor authentication codes, and app notifications. This gives attackers full access to the victim’s account activity and communications. Some versions also include keylogging and screen recording capabilities.
What makes this approach particularly dangerous is that victims are using their real apps, unaware that they are being monitored inside a virtual environment.
Read about how multi-factor authentication works and explore how keyloggers are used to steal data and what signs to watch for on your device.
How users can protect themselves
To stay protected against threats like GodFather:
-
Only download apps from trusted sources like the Google Play Store and check the developer
-
Avoid granting sensitive permissions, especially Accessibility Services and SMS access
-
Use mobile security solutions that can detect suspicious behavior
-
Keep your device and apps updated to close known vulnerabilities
GodFather’s new capabilities highlight how mobile malware is becoming more sophisticated. By running real apps in a sandbox, attackers can operate undetected. Understanding how these threats work is essential for staying one step ahead.
Final thoughts
The latest version of GodFather marks a turning point in the evolution of Android malware. By combining virtualization with social engineering, the attackers behind this campaign are blurring the lines between legitimate and malicious activity. This makes traditional detection methods less effective and puts more responsibility on users and organizations to remain vigilant.
As mobile banking continues to grow in popularity, so too will the sophistication of the threats targeting it. Staying informed about these developments is crucial — because protecting your data starts with understanding how it can be stolen.
Sarah Krarup
Sarah studies innovation and entrepreneurship with a deep interest in IT and how cybersecurity impacts businesses and individuals. She has extensive experience in copywriting and is dedicated to making cybersecurity information accessible and engaging for everyone.
View all posts by Sarah Krarup
