BURSTA sophisticated evolution of the GodFather banking malware has emerged, introducing a groundbreaking attack methodology that exploits on-device virtualization to compromise legitimate mobile applications.
This advanced threat represents a significant departure from traditional overlay attacks, creating complete isolated virtual environments on victim devices to execute more deceptive and effective financial fraud operations.
The malware’s primary focus targets mobile banking and cryptocurrency applications, demonstrating a calculated approach to maximizing financial gain through technological innovation.
The core innovation of this malware variant lies in its ability to install a malicious host application containing a comprehensive virtualization framework.
Rather than simply displaying fake login screens over legitimate applications, the malware downloads and executes actual copies of targeted banking or cryptocurrency apps within its controlled sandbox environment.
When users attempt to launch their legitimate applications, they are seamlessly redirected to these virtualized instances where every interaction, keystroke, and data entry is monitored and controlled in real-time by the malicious actors.
Zimperium researchers identified this sophisticated campaign as targeting nearly 500 applications globally, with particular focus on Turkish financial institutions.
The security firm’s zLabs division uncovered that this virtualization technique provides attackers with unprecedented visibility into application processes, enabling real-time credential interception and bypassing traditional security mechanisms such as root detection.
.webp)
The malware’s evolution includes enhanced evasive capabilities through ZIP manipulation and code migration to the Java layer, specifically designed to defeat static analysis tools used by security researchers.
The impact of this attack vector extends far beyond conventional mobile threats. The malware grants attackers comprehensive access to login credentials, including usernames, passwords, and device PINs, ultimately facilitating complete account takeover scenarios.
Most concerning is the attack’s perfect deception capability, as users interact with genuine, unaltered applications within the virtualized environment, making detection through visual inspection nearly impossible and effectively neutralizing user vigilance as a defense mechanism.
This discovery represents a substantial advancement beyond previously documented research, including earlier malware families like FjordPhantom and recent analysis published in November 2024.
The technique fundamentally undermines the trust relationship between users and their mobile applications, transforming the device itself into an untrusted environment where legitimate applications become tools for espionage and theft.
Advanced Virtualization and Hooking Framework Implementation
The technical architecture of GodFather’s virtualization attack relies on legitimate open-source tools including Virtualapp, Xposedbridge, XposedInstaller, and Xposed frameworks to execute its sophisticated overlay operations.
.webp)
The malware exploits these tools’ legitimate capabilities to create sandboxed environments and hook into specific application programming interfaces, ensuring smooth operation of malicious code within virtual spaces while extracting critical user data.
The virtualization process operates through a container-based approach where a single application hosts multiple secondary applications within a virtual filesystem managed by the host.
When targeted applications launch, the host creates new processes identified as “com.heb.reb:va_core” and loads hosted applications within them.
The malware systematically gathers lists of installed applications, checking against predetermined target lists, and if targeted banking applications are present, downloads and installs Google Play Store components into the virtual environment.
.webp)
GodFather employs sophisticated hooking methods customized for specific banking applications, utilizing the Xposed framework to intercept network connections by hooking the build() method of OkHttpClient.Builder class.
This technique injects custom interceptors into client configurations, enabling comprehensive logging of network requests and responses.
Additionally, the malware hooks critical APIs such as getEnabledAccessibilityServiceList, returning empty lists to conceal active malicious services from banking applications’ security checks.
Power up early threat detection, escalation, and mitigation with ANY.RUN’s Threat Intelligence Lookup. Get 50 trial searches.
The post GodFather Android Malware Leverages On-Device Virtualization Technique to Hijack Legitimate Banking Apps appeared first on Cyber Security News.