Zimperium, the world pioneer in mobile security, reveals new zLabs research detailing an advanced evolution of the GodFather Android banking Trojan that weaponises on-device virtualisation to hijack nearly 500 legitimate mobile applications.
The technique allows attackers to run the real app inside a malicious sandbox, capture every tap and credential in real time, and bypass traditional overlay-based defenses.
GodFather Android banking Trojan
The following are some features of the GodFather Android banking Trojan:
- Perfect deception: Users interact with the genuine app, making visual detection impossible.
- Full account takeover: Attackers harvest usernames, passwords, device PINs—even lock-screen credentials.
- Rapid industry spillover: Although the latest wave focuses on a dosen Turkish financial institutions, any sector that relies on mobile apps—finance, retail, healthcare, government—faces identical risk.
- Evasive by design: GodFather layers ZIP-format tampering, accessibility abuse, and Xposed-based hooking to blind static scanners and root-detection checks.
Defending from mobile attackers
“Mobile attackers are moving beyond simple overlays; virtualisation gives them unrestricted, live access inside trusted apps,” said Fernando Ortega, Senior Security Researcher, Zimperium zLabs.
“Enterprises need on-device, behavior-based detection and runtime app protection to stay ahead of this shift toward a mobile-first attack strategy.”