The Android Banking Trojan “Godfather” Uses On-Device Virtualization to Hijack Apps

In mid-June 2025, researchers from Zimperium zLabs disclosed a concerning development of the Android banking Trojan known as Godfather. Its latest version leverages an advanced on-device virtualization technique to take over legitimate banking apps, enabling the theft of authentication data and even the initiation of fraudulent transactions—all while presenting the user with a seemingly normal experience.

Context: The Evolution of Mobile Banking Trojans and the Need for Innovation

In recent years, mobile banking trojans have become an increasingly widespread threat, targeting the popularity of financial apps used by millions. Traditional methods—also used by earlier versions of Godfather—involved displaying fake overlay screens over legitimate apps to trick users into entering their login credentials on counterfeit pages.

First identified in March 2021 (as a successor to the infamous Anubis trojan), Godfather used these overlay techniques with more than 400 fake login screens, initially spreading through malicious apps uploaded to Android app stores. As the mobile ecosystem adopted stricter security measures (e.g., Android 13’s accessibility restrictions) and users became more cautious, attackers were forced to enhance their sophistication.

Godfather stood out as a Malware-as-a-Service (MaaS) offering, enabling its rapid, large-scale distribution. By April 2025, over 1,000 samples had been observed across 57 countries, making it one of the most widespread mobile threats globally. With a codebase derived from Anubis and a developer network (likely Russian-speaking), Godfather targeted hundreds of legitimate apps across banking, crypto, payments, and e-commerce sectors—capitalizing on the trust users place in these platforms.

Campaign Details

• Attack Vector – Infections typically begin with malicious Android apps disguised as legitimate or useful tools, spread via fraudulent websites, smishing campaigns (SMS phishing), or third-party stores (sometimes even bypassing Play Store filters). These apps act as droppers, installing the actual Godfather malware. To boost trust, Godfather mimics popular apps (like Google Play services, crypto wallets, or well-known finance apps) and requests extensive permissions—especially accessibility access, which is often granted under deceptive pretenses (e.g., simulating an update).
• On-Device Virtualization Tactic – The most notable innovation in this Godfather version is the integration of a virtualization framework directly within the malware APK. Once infected, the trojan installs a malicious “host” app containing a virtualization library (based on projects like VirtualApp) and the Xposed hooking module. It scans for installed financial apps, and if it finds a target (from a list of nearly 500), it downloads or copies the legitimate version and installs it in an isolated virtual environment within the host app.

When the user launches the real banking app, the malware intercepts the launch intent using accessibility services and redirects the process to the virtualized version controlled by attackers. 

• Main Malicious Capabilities – Once the target app runs inside Godfather’s virtual environment, attackers gain full real-time control via Xposed hooks injected at key points (e.g., networking libraries like OkHttpClient). This enables:
  • Credential and Data Theft: Everything entered by the user—usernames, passwords, PINs, OTPs—is captured directly from the legitimate interface. 
  • Bank Account Takeover: With compromised session and credentials, attackers can remotely unlock the device, navigate through the app, and perform transactions. 
  • Stealth and Persistence: Godfather monitors active processes and new apps, can disable security settings (e.g., Google Play Protect), suppress security app notifications, and reinfect apps on every reboot.
• Targets and Scope – Godfather targets nearly 500 legitimate mobile apps globally, including online banking, crypto wallets, trading, e-commerce, and even social media apps.

The current campaign (June 2025) is geographically focused on Turkey, with local apps like Akbank, Garanti BBVA, İşbank, Yapı Kredi, and Ziraat under heavy attack. However, its infrastructure is poised for expansion to other countries and targets.

Major Impacts and Risks

• Wide Compromise Window – With almost 500 potential app targets and millions of global users, the potential damage is immense—even if currently only Turkish banks are actively targeted.
• Real-Time Financial Fraud – Godfather enables immediate theft through legitimate app interfaces. Victims may lose money without realizing until it's too late, causing massive potential losses for individuals and reputational damage for banks.
• Total Account and Identity Takeover – Stolen credentials, 2FA codes, and unlock PINs allow attackers to completely assume control of digital identities, possibly leading to cross-account compromise (emails, social, crypto, etc.).
• Eroding Trust in Legitimate Apps – If even official apps can be abused silently, users may grow distrustful of digital banking altogether. This undermines banks’ digital transformation efforts and highlights the device as the weakest link.
• Escalation of Mobile Threats – Godfather’s success may trigger a wave of similarly sophisticated mobile threats. The mobile security bar has now risen significantly.

Advanced Defense Strategies Against Malicious Virtualization

• “Store-Only” Policy & Permission Awareness – Educate users to install only from official stores and be wary of unusual permission requests—especially accessibility or device admin rights.
• Mobile Threat Defense (MTD) Solutions – Enterprises should deploy MTD tools capable of detecting virtualization environments or frameworks like Xposed, flagging suspicious data transmissions, or unauthorized hooks.
• Up-to-Date Devices & Android Protections – Ensure devices run the latest Android versions with security patches. Android 13’s restrictions on accessibility after sideloading, though bypassable, still raise the attacker’s difficulty level.
• Server-Side (Bank) Security Measures – Financial institutions must assume client devices may be compromised and implement anomaly detection, out-of-band confirmations, and tight API protection to spot fraud even from legitimate-looking sessions.
• App Hardening & Tamper Detection – Banking apps should integrate root/virtualization/Xposed detection, enforce integrity checks (e.g., launch validation, executable hash), and undergo regular pen-testing in adversarial environments.

Awareness and Incident Response Best Practices

• User Awareness & Staff Training – Educate users about APK risks, suspicious links, and permission vigilance. Internal security teams must monitor IoCs related to Godfather and inspect network traffic for compromised devices.
• Collaboration & Threat Intelligence Sharing – Effective defense requires cross-industry collaboration between security vendors, OS developers, banks, and law enforcement. Sharing signatures, C2 addresses, and tactics helps contain threats faster.
• Incident Response Planning – Organizations must prepare for mobile-focused breaches. If fraudulent activity is suspected, clients must be notified quickly, provided with mitigation steps, and authorities must be engaged to take down C2 infrastructure.

Conclusion

The emergence of the Godfather trojan with virtualization marks a paradigm shift in mobile security: the attack is no longer visible—or even suspectable—by users, as it operates behind a perfectly legitimate interface.

In the modern mobile era, it’s no longer enough to secure just the app—your money is only as safe as the device it runs on.