The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

Godfather Evolves With Advanced On-Device Virtualization Capabilities

Jun 30, 2025 1:56:44 PM / by The Hivemind

GODFATHER EVOLVESVerticals Targeted: Financial
Regions Targeted: Not specified
Related Families: None

Executive Summary

Industry researchers have identified an advanced evolution of the Godfather banking trojan, which employs on-device virtualization to hijack mobile banking and cryptocurrency applications on Android devices. This sophisticated technique allows attackers to monitor and control user interactions within a virtualized app environment, posing a significant threat to mobile security.

Key Takeaways

  • Godfather malware uses a virtualization framework to run legitimate banking and cryptocurrency apps in a controlled sandbox, intercepting user inputs.  
  • The malware leverages Android’s Accessibility Service to capture detailed tap events and screen information, enhancing its data theft capabilities.  
  • It employs open-source tools like VirtualApp and Xposed to execute virtualization and overlay attacks.  
  • Approximately 484 applications, primarily banking and cryptocurrency apps, are targeted, with commands issued via a Base64-encoded C2 server.  

What is Godfather?

Zimperium zLabs recently uncovered a significant evolution in the Godfather banking trojan, which now leverages advanced on-device virtualization to compromise Android-based mobile banking and cryptocurrency applications. This sophisticated approach marks a departure from traditional overlay attacks, enabling attackers to create a fully controlled virtual environment on infected devices, where user interactions are monitored and manipulated in real time.  

The malware’s core mechanism involves installing a malicious “host” application that embeds a virtualization framework. This host downloads and runs legitimate target applications, such as banking or cryptocurrency apps, within an isolated sandbox. When users launch their apps, they are seamlessly redirected to this virtualized instance, unaware that every tap, swipe, and data entry is under the malware’s control.  

Godfather exploits Android’s Accessibility Service to enhance its capabilities, capturing detailed screen information and tap events once permissions are granted. This allows the malware to “see” user interactions across all apps, significantly increasing its ability to steal sensitive data. The malware communicates with its command-and-control (C2) server via a Base64-encoded URL stored in its shared preferences, enabling attackers to issue commands and retrieve stolen data. A predefined list of 484 targeted applications, primarily in the banking and cryptocurrency sectors, is maintained and updated through C2 communications.  

To execute its virtualization and overlay attacks, Godfather incorporates legitimate open-source tools, including VirtualApp, XposedBridge, XposedInstaller, and Xposed. These tools facilitate the creation of the virtual environment and support traditional overlay techniques, where deceptive screens are placed over legitimate apps to capture credentials. The malware also downloads critical Google APKs—such as Google Play Store, Play Services, and Google Services Framework—writing them to the virtual folder to ensure compatibility within its sandbox.  

The trojan’s command set enables remote management of infected devices, allowing attackers to dictate behaviors such as data exfiltration or additional app installations. This dual approach of virtualization and overlay attacks underscores the adaptability of the threat actors, who combine cutting-edge techniques with proven methods to maximize impact. The absence of specific geographic targeting suggests a broad attack surface, with any Android device running targeted apps at risk. PolySwarm analysts consider Godfather to be an evolving threat. 

IOCs

PolySwarm has multiple samples of Godfather.

 

df418b66744caf676d632a9ddc2633bc9d9ac4394b40451941ffdd18354205a3

1090ebbd319ee27cca9254c6c9d3329855c4e2dc7695e12beac31a1a47bb9ae8

29caf2912a0c42d3749a50852a60a221855a2dccf686b10360985b325749e906

3559d2f35195062615d389f6ef5c7a2961268db13230af893dbe60026555e4a8

f19cc8af1312ca1ee2b35d64f12704b660040c1ef7aa6ca60de990edea07c79b

75de4a110533292b14fd79f1f9621ab50362fb64b3378da381d23d07eebe04cb

 

You can use the following CLI command to search for all Godfather samples in our portal:

$ polyswarm link list -f Godfather

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.

 

Topics: Threat Bulletin, Evolving Threat, Android Malware, Godfather Malware, Mobile Banking Trojan, on-device virtualization, cryptocurrency app attacks, accessibility service abuse, overlay attacks, mobile security threats, banking app hijacking

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts