The history of mobile malware has been evolving for over 20 years, targeting mobile devices through a wide range of vectors for a variety of ends. Early mobile malware relied on Bluetooth capability to spread between devices, and mobile malware threats have evolved over time to use newer technologies, target different applications, and adopt evasion tactics. Recent findings by Zimperium zLabs have demonstrated an advance in the GodFather banking malware. The new method is “more deceptive and effective,” representing a major evolution of the malware’s capabilities.
Virtualization as a Weapon
The evolution in GodFather’s functionality stems from its method of creating full, isolated virtual environments on target devices. This malware installs and uses a malicious application to build a virtualization framework before running a copy of the targeted app in its own sandbox. This is more deceptive than traditional overlay techniques like spoofing domains and creating fake login pages—though GodFather continues to use traditional overlay tactics alongside evolving attacks. The fully controlled sandbox environment offers critical benefits for attackers, including complete visibility into the app’s processes, remote control functions, and rendering user vigilance and awareness all but moot.
Under the Hood: How the Attack Works
The malware uses Android’s accessibility services to take advantage of a select few permissions in order to escalate privileges and install the actual payload. It relies on a session-based installation technique to bypass the restriction of accessibility permissions. The malware payload, hidden in the assets folder, requests accessibility permissions which, when granted, then allow it to grant additional permissions without the user’s knowledge. The app finally executes a copy of the targeted app, primarily banking and crypto apps, within the sandbox.
The targeted apps include 12 different Turkish banks and many more applications across a range of sectors and regions. Some of the verticals affected by this malware attack are global payments and e-commerce, social media and communication, financial and banking applications, and cryptocurrency exchanges and wallets. These add up to almost 500 apps around the world with hundreds of millions of users.
Exploiting Open-Source Tools for Malicious Ends
The GodFather malware has been found to leverage several different legitimate open-source tools in order to carry out attacks. These tools, including Virtualapp, Xposedbridge, and XposedInstaller, enable the functionality of the malware attack, from the virtualization of apps in sandboxed environments to the hooking frameworks into specific APIs. These tools are repurposed for nefarious purposes to make malicious code run smoothly and exfiltrate critical data. Malicious use of legitimate tools is not an uncommon tactic for threat actors, making the OWASP Top 10 list for open-source software.
Stealth and Evasion Techniques
In addition to making advances in methods to better deceive targets, these recent attacks have also used advanced techniques for going undetected and evading security tools. The GodFather samples found demonstrate a ZIP manipulation technique of altering APK file ZIP formats and manipulating Android Manifest file structures. This enables the malware to bypass static analysis tools and evade detection. The use of session-based installation tricks allows the attack to bypass permissions, and C2 servers are concealed as encoded URLs hidden in shared preferences.
User Interaction Exploitation: The Malware’s Eyes and Ears
Malware leverages accessibility permissions by telling users that they cannot use the application without granting permissions. Once these permissions are granted by the user, the malware can carry out further nefarious actions on the target device. Access permission requests are commonplace in mobile applications, and many users are predisposed to implicitly trust apps and grant permissions without much thought. The malware uses advanced permissions and escalation to capture a wide range of user data and interactions, including taps and swipes, enabling the attackers to steal credentials and other sensitive information.
Security Implications and Challenges
Traditional security methods often fall short in the face of virtualization threats. Static analysis tools, user vigilance, and other measures against threats are inadequate for dealing with the capabilities that GodFather malware now exhibits. “This situation highlights the pressing need for a robust security strategy that protects backend APIs and addresses sophisticated client-side breaches that aim to steal API-enabling credentials and manipulate API-driven interactions from the user’s device's point of origin,” says Eric Schwake, Director of Cybersecurity Strategy at Salt Security.
Zimperium’s analysis offers in-depth insights into the technical details of the malware evolution, as well as mapping the attack onto MITRE Tactics and Techniques. The table provided by Zimperium provides links to MITRE’s pages on each technique, including phishing, process injection, virtualization solution, and keylogging. These pages offer a rundown of mitigation suggestions, from application vetting and user guidance to antivirus and antimalware solutions.
Future Outlook: An Arms Race in Mobile Security
Mobile malware tactics and technologies are going to continue evolving as attackers look for new and advanced ways to launch more deceptive and effective malware attacks. While the recent incidents using this advanced virtualization method have primarily targeted applications from finance institutions like e-commerce, banking, and cryptocurrency, the goals, methods, and targets of malware attacks change with industry trends and other factors. To protect against mobile malware threats today and in the future, there is an urgent need for organizations and users to use proactive mobile threat defense mechanisms.
