GodFather Malware Upgraded to Hijack Legitimate Mobile Apps

The GodFather banking malware has resurfaced with a dangerous upgrade.

Previously known for overlaying fake login screens on financial apps, the malware now uses on-device virtualization to fully hijack legitimate mobile applications and conduct real-time fraud.

According to Zimperium, instead of creating fake UIs, GodFather now launches virtual instances of apps inside a sandboxed environment on the device itself.

This lets attackers:

• Capture credentials during legitimate logins

• Interact with apps exactly like a real user

• Hook into internal APIs to alter app behavior

“The sophisticated advancement of GodFather banking malware, utilizing advanced on-device virtualization, signifies a significant breach of trust between users and their mobile applications,” explained Eric Schwake, director of cybersecurity strategy at Salt Security.

“This cunning method enables the malware to fully control legitimate apps, effortlessly capturing credentials and sensitive information during runtime.”

Read more on API security: 99% of Organizations Report API-Related Security Issues

Initial Attacks Targeted Turkish Banks

Researchers first detected this evolved threat targeting banking users in Turkey.

By using virtualization to cloak its activity, GodFather evades most conventional detection tools. It mimics user behavior so convincingly that even fraud prevention systems struggle to distinguish it from legitimate activity.

“This is definitely a novel technique, and I can see its potential,” said Casey Ellis, founder of Bugcrowd.

“It will be interesting to see how effectively it actually is in the wild, whether or not the threat actors decide to deploy it outside of Turkey and if other threat actors attempt to replicate a similar approach.”

The malware’s move toward virtualization marks a broader trend, as endpoint-level manipulation is becoming as sophisticated as backend API attacks.

Security Implications for Enterprises

“What we are seeing with GodFather malware is the further evidence of a shifting paradigm in cybersecurity where full account takeover is swift and brutal,” said April Lenhard, principal product manager at Qualys.

“Now more than ever, organizations need to be constantly vigilant and prepared – and to act decisively at the first evidence of suspicious behavior.”

Companies can no longer rely solely on backend protections. They must defend against threats originating from the user’s device itself.

“This situation highlights the pressing need for a robust security strategy that protects backend APIs and addresses sophisticated client-side breaches,” Schwake concluded.