Zimperium has identified a new iteration of the Godfather malware targeting Android phones. This malware, which has a long history, was first detected in 2021 and made a resurgence in December 2022.

At that time, it was noted as a significant banking trojan, infiltrating 16 countries and attempting to steal banking credentials from over 400 online banking platforms and cryptocurrency exchanges. Currently, the Godfather malware has re-emerged, with researchers reporting a more dangerous version now affecting Turkish Android users.

This latest variant has improved evasion tactics and is designed to simplify the malware’s operations. Although it remains a banking trojan, its methods have evolved significantly.

Previous versions utilized an overlay technique, placing an invisible layer over banking apps to deceive users into revealing their credentials. The new version enhances its approach by creating a virtualized instance of the banking app within a sandbox environment on the infected device.

This method circumvents the need for excessive permissions, allowing the malware to engage in wire fraud more discreetly. Once it infects a device, the Godfather malware scans for banking apps, creating a counterfeit version that launches instead of the genuine application.

This tactic proves to be a highly effective means of executing fraud. Beyond stealing login credentials, the new malware version can also extract PIN codes and unlock patterns.

This capability allows it to remotely control the device, potentially enabling wire transfers without the user’s awareness. While this variant has only been observed in Turkey, its potential to spread to other markets remains a serious concern.