A new version of the Android malware known as "Godfather" is taking data theft to the next level. It can now create a sort of virtual environment within the phone itself, allowing it to spy on and steal information from real banking apps without raising suspicion.
What's both curious and concerning is that these malicious apps run inside this virtual space controlled entirely by the malware. From there, they can see what you're doing, capture your passwords, and even manipulate transactions—all while you see what appears to be the legitimate app working normally.
This technique is quite similar to one used by another malware called FjordPhantom in late 2023, which also launched applications within virtual environments to avoid detection. But Godfather takes it a step further.
Its reach is far greater: it targets over 500 apps worldwide, including banks, cryptocurrency platforms, and e-commerce sites. It uses an entire virtual file system, a fake process ID, and techniques like intent spoofing to disguise its activity. It even makes it seem like everything is functioning as it should, fooling both the user and Android’s security measures.
In short: you see your banking app just as you know it, but in reality, you're interacting with a copy controlled by the malware, inside a fake environment. Everything looks normal, but your data is being intercepted in real time.
Godfather arrives as a seemingly harmless APK app, but it contains an entire integrated virtualization system. To pull this off, it relies on open-source tools like VirtualApp and Xposed, which allow it to "hook into" the Android system and control the behavior of other apps.
Once activated on your phone, the first thing it does is check whether you have any banking or other target apps installed. If it finds one, it doesn't attack it directly. Instead, it places it inside its own virtual environment—a sort of fake space it fully controls. Then, it uses something called StubActivity to launch the app from within its container.
So what is StubActivity? Essentially, it's a kind of "blank screen" included in the malicious app. It has no content or logic of its own, but acts as an intermediary. It tells Android it's running the legitimate app, while in reality, what you see on the screen is being intercepted and manipulated by the malware.
This way, Godfather makes everything look normal. You see the usual app, but what you don't know is that you're inside a fake environment, and every click, password, or piece of data you enter is being monitored and captured.
Creation of the Virtualized Environment (Source: Zimperium)
When the victim opens their usual banking app, Godfather is already prepared. Thanks to the accessibility permission (the one we often grant without thinking), the malware intercepts what Android knows as an "intent"—the signal that an app is about to open—and instead of letting it launch normally, it redirects it to a fake version within its virtual environment using its StubActivity.
The result? The user sees their bank's real interface, identical to the original. But what they don’t know is that they're using a copy controlled by the malware. Everything they type or tap can be captured without their knowledge.
Using tools like Xposed, Godfather hooks into key system functions to spy in real time. It can log usernames, passwords, PINs, screen taps, and even the responses sent by the bank's servers. In other words: everything you do inside the app can be monitored and stolen.
Network Hooks Used by Godfather (Source: Zimperium)
At critical moments, the malware launches a fake lock screen that looks completely legitimate. The goal? To trick the victim into entering their PIN or password without suspecting they’re being deceived.
Once it has captured that sensitive information, the malware waits for instructions from its operators. When it receives them, it can take remote control of the phone: unlock the device, navigate the interface, open apps, and even make payments or transfers from the actual banking app.
While all of this is happening, the user remains unaware. Godfather displays a black screen or a fake “updating” message to maintain the appearance of normalcy and ensure no one suspects what's going on in the background.
Read more: Hackers carry out their threat and leak data from Club Pachuca
Godfather is not new to the world of Android malware. It has been around since at least March 2021, and since then it has continuously improved and become increasingly dangerous.
The latest version marks a significant leap from what was seen in 2022. At that time, this trojan was already capable of targeting more than 400 applications across 16 countries, using fake HTML login screens and focusing particularly on cryptocurrency and financial service apps.
Today, although the most recent campaign seems primarily focused on fake banking apps, it's important not to let your guard down. Godfather has the ability to target over 500 applications worldwide. That means other groups using this malware could activate it in different regions at any time, simply by changing the target.
Only download apps from Google Play or from official, trusted sources.
Enable Google Play Protect for an extra layer of security.
Review the permissions apps request before installing them. If something seems off, it’s best not to proceed.
The key is to stay vigilant. This type of malware continues to evolve, and staying informed is your best defense.