- Experts warn about malware that executes real applications in false virtual environments
- The godfather avoids safety checks and overlaps false screens to steal credentials
- Points to banking and cryptographic applications worldwide with almost invisible techniques
Zimperium Zlabs has discovered a new version of the sponsor’s malware that uses virtualization on the device to kidnap real banking and cryptocurrency applications.
Unlike the oldest attacks that showed false login screens, this malware begins real applications in a virtual space where attackers can see everything the user does.
The attack begins with a host application that includes a virtualization tool: this host application discharges the specific bank or cryptographic application and executes it in a private environment.
Go beyond simple overlaps
When users open their application, without knowing it they are redirected to the virtual version. From there, each touch entry, login and pin is tracking in real time.
Because the user is interacting with a real application, it is almost impossible to detect the attack looking at the screen.
The godfather also uses postal tricks and hides much of his code in a way that defeats static analysis. Request accessibility permits and then grant more access, which makes the attack soft and difficult to detect.
“Mobile attackers are moving beyond simple overlays; virtualization gives them access without restrictions and live within reliable applications,” said Fernando Ortega, Senior Security researcher at Zimperium ZLABs.
“Companies need protection in the device, behavior -based detection and execution time to stay at the forefront of this change towards a first mobile attack strategy.”
Zimperium’s analysis shows that this godfather version focuses on Turkish banks, but the campaign is aimed at almost 500 applications worldwide. These include financial services, cryptocurrency platforms, electronic commerce and messaging applications.
The malware verifies specific applications on the device, cries out in the virtual space and uses the cloned version to collect data and track user behavior.
You can also steal device lock screen credentials using false overlays that seem system indications.
Attackers can control the infected phone remotely using a command set. These can blow up, open applications, change brightness and simulate user actions.
How to stay safe
- Avoid installing applications from unknown sources: Always wear official stores such as Google Play.
- Carefully verify application permissions. If an application requests accessibility access or screen superposition permits without a clear reason, uninstall immediately.
- Keep your phone operating system updated.
- Use mobile security tools for trusted developers.
- Avoid lateral apk files, even if shared by someone who knows.
- Reiniciating your phone regularly can help frustrate any persistent malware.
- Pay attention to unusual behavior, such as a faster than usual battery drain and strange and unexpected overlaps.
- If your bank application is ever seen different or ask for login more frequently than usual, stop using it and communicate with your bank.
