Zimperium has revealed new zLabs research, detailing an advanced evolution of the GodFather Android banking trojan, using on-device virtualisation to steal credentials from banking and crypto apps.

The trojan technique allows attackers to run the real app inside a malicious sandbox, capture every tap and credential in real time and bypass traditional overlay-based defences.

Mobile-attackers

These attackers are able to deceive users into using what appears to be the ‘genuine app’ making visual detection impossible.

Zimperium has reported that mobile attackers can harvest usernames, passwords, device PINs and even lock-screen credentials.

The company has articulated that despite the latest wave of mobile attacks focusing on a dozen Turkish financial institutions, any sector that relies on mobile apps i.e., finance, retail, healthcare, government – face identical risks.

GodFather reportedly layers ZIP-format tampering, accessibility abuse and Xposed-based hooking to blind static scanners and root-detection checks.

“A mobile-first attack strategy”

Fernando Ortega, Senior Security Researcher, Zimperium said: “Mobile attackers are moving beyond simple overlays; virtualisation gives them unrestricted, live access inside trusted apps.

“Enterprises need on-device, behaviour-based detection and runtime app protection to stay ahead of this shift toward a mobile-first attack strategy.”