Government Abstract
Zimperium zLabs has uncovered a classy evolution of the GodFather banking malware that leverages a sophisticated on-device virtualization approach to hijack a number of authentic functions, with a give attention to cell banking and cryptocurrency functions. This technique marks a big leap in cell menace capabilities, shifting past conventional overlays to a extra misleading and efficient type of assault.
The core of this novel approach is the malware’s potential to create an entire, remoted digital setting on the sufferer’s machine. As a substitute of merely mimicking a login display, the malware installs a malicious “host” software that incorporates a virtualization framework. This host then downloads and runs a duplicate of the particular focused banking or cryptocurrency app inside its managed sandbox. When a person launches their app, they’re seamlessly redirected to this virtualized occasion, the place each motion, faucet, and information entry is monitored and managed by the malware at runtime.
This virtualization approach gives attackers with a number of crucial benefits over beforehand seen malware. By operating the authentic app inside a managed setting, attackers achieve complete visibility into the appliance’s processes, permitting them to intercept credentials and delicate information in real-time. The malware could be managed remotely and in addition use hooking frameworks to change the conduct of the virtualized app, successfully bypassing safety checks comparable to root detection. Along with this core approach, GodFather has advanced its evasive maneuvers, using ZIP manipulation and shifting code to the Java layer to defeat static evaluation instruments. Crucially, as a result of the person is interacting with the actual, unaltered software, the assault achieves good deception, making it almost unattainable to detect by means of visible inspection and neutralizing person vigilance.
The affect of this assault vector is extreme. Whereas this GodFather marketing campaign casts a large internet, concentrating on almost 500 functions globally, our evaluation reveals that this extremely subtle virtualization assault is at present centered on a dozen Turkish monetary establishments. This discovery represents a big leap in functionality past beforehand documented analysis like “FjordPhantom” and the latest publicly out there evaluation reported by Cyble in November 2024. The malware grants attackers the flexibility to steal a variety of login credentials, from usernames and passwords to machine PINs, finally resulting in a full account takeover. Finally, this virtualization approach erodes the elemental belief between a person and their cell functions, rendering the machine itself an untrusted setting the place even authentic apps could be changed into instruments for espionage and theft.
Technical Evaluation
Evasive ZIP Methods
All the newest samples of GodFather discovered by our analysis workforce are utilizing a really comparable strategy of ZIP manipulation. Menace actors are altering the ZIP format of APK recordsdata (Fig.1) and tampering with the construction of Android Manifest recordsdata to bypass static evaluation instruments and keep away from detection.
Particularly, the samples exhibit two key traits:
- Basic Objective flag enabled: The APK incorporates the bit 00 of the Basic Objective Flags enabled. This tips some evaluation instruments into believing the APK is encrypted and requires a password for decompression, hindering their potential to investigate the file.
- Including further discipline identify: The samples embody a further discipline identify, “$JADXBLOCK” which references an open-source decompiler. This seemingly serves to additional mislead or hinder evaluation.
Fig. 1: Instance of Native File Header for AndroidManifest.xml
Accessibility Providers, Obfuscation and Code Shift
Identical to earlier variations, the newest GodFather malware depends on Android’s accessibility providers and only some permissions to commit fraud. However there is a new twist: its Android manifest is now obfuscated with irrelevant permissions and manifest strings, particularly designed to thwart static evaluation and problem reverse engineers. It was additionally doable to note that the attackers have moved a lot of the malicious code from the native layer to the Java layer.
The Identical Previous Dropper Approach
The malware makes use of a session based mostly set up approach (Fig. 2) to put in the precise payload on the sufferer’s machine, in an effort to bypass the accessibility permissions restrictions. It presents a message stating (Fig. 3), “That you must grant permission to make use of all of the options of the appliance”, which is designed to lure victims into unknowingly putting in the malware.
The malware hides its major payload within the property folder. As soon as a sufferer falls for the trick and proceeds with the set up, the malware instantly requests accessibility permissions. If these are granted, the malware can then covertly grant itself extra permissions by overlaying content material on the display, all with out the person’s consciousness or consent.
Fig. 2: The launcher set up the asset apk utilizing session based mostly set up
Fig. 3: The appliance request for accessibility and machine app and notification permission
C&C Communication
The GodFather malware retains all its crucial info, comparable to its C2 communication particulars and a listing of focused banks, in its shared choice. A Base64-encoded C2 URL is embedded inside these preferences, permitting the malware to hook up with its command server (Fig. 4).
Fig. 4: Malicious C&C in Base64
As soon as a sufferer grants accessibility permissions, the malware instantly sends details about the display to the server, together with detailed faucet occasions captured by the Accessibility Service (Fig.5). Which means GodFather has the flexibility to primarily “see” each contact, swipe, and faucet that the person makes on the display, no matter which app is at present open.
Fig. 5: Some info collected from accessibility is shipped to the C2
Uncovering New Capabilities
Overlay Utilizing Virtualization and Hooking Frameworks
The Malware is assembled utilizing a number of authentic open-source instruments like Virtualapp, Xposedbridge, XposedInstaller, Xposed to execute its overlay assaults. It exploits the authentic capabilities of those instruments, like their potential to virtualize apps in sandboxed environments and hook into particular software programming interfaces (APIs), each to make sure its malicious code runs easily in these digital areas and to extract essential information.
How does virtualization work?
The strategy utilized by GodFather depends on a virtualization approach wherein a single app acts as a container probably able to operating a number of different apps. These secondary apps known as hosted apps are usually not put in immediately onto the Android system. As a substitute, they’re positioned inside a digital filesystem (Fig. 7) managed by the host app. When considered one of these hosted apps is launched, the host creates a brand new course of (Fig. 6), hundreds the hosted app into it, after which executes it.
The method accountable to execute the virtualized app is com.heb.reb:va_core.
Fig. 6: Record of course of when the app virtualized is operating
Fig. 7: Malware creating digital setting contained in the host app
GodFather Malware: A Toolkit for Overlay Assaults
GodFather first gathers a listing of all functions put in on the sufferer’s machine, particularly checking for a predetermined record of focused apps (Fig.8).
Fig. 8: Record of put in apps despatched to the C2
If any of the under listed functions are already put in on the victims machine, then the malware downloads and installs (Fig. 9) Google playstore,Google play providers and Google Providers Framework APK and writes it to the digital folder (Fig. 10).
Fig. 9: Downloading playstore,play providers,Google Providers Framework APK’s
Fig. 10: Data on the digital setting created
|
Bundle identify |
Financial institution Identify |
|
com.akbank.android.apps.akbank_direkt |
Akbank Cellular |
|
com.fibabanka.Fibabanka.cell |
Fibabanka |
|
com.garanti.cepsubesi |
Garanti BBVA Cellular |
|
com.tmobtech.halkbank |
Halkbank Mobil |
|
com.ingbanktr.ingmobil |
ING Mobil |
|
az.kapitalbank.mbanking |
Birbank |
|
com.kuveytturk.mobil |
Kuveyt Türk Cellular |
|
com.pozitron.iscep |
İşCep: Banking & Finance |
|
tr.com.sekerbilisim.mbank |
Şeker Mobil |
|
com.tfkb |
Türkiye Finans Cellular |
|
com.ykb.android |
Yapı Kredi Cellular |
|
com.ziraat.ziraatmobil |
Ziraat Cellular |
Desk 1: Record of banks which are focused by the malware
The malware extracts important info from focused banking functions already put in on the machine. It then makes use of this information to generate a cache file named bundle.ini, which incorporates all the mandatory particulars to launch these particular banking apps inside its digital setting whereas preserving person classes.
The malware follows a exact, multi-step course of for this:
- APK parsing: evaluation of the APKs of the focused apps
- Non-public House Preparation: The malware units up a devoted, non-public house inside its digital setting and copies over all of the recordsdata wanted for the banking software to run there.
- Completion Notification: It alerts that these preparatory steps are full.
Data gathered from the focused functions working throughout the digital setting is subsequently transformed right into a serializable format (Fig. 11).
Fig. 11: Bundle.ini and signature.ini recordsdata created within the software folder
This serialized information is cached as bundle.ini and certificates.ini recordsdata on disk (Fig. 12).
Fig. 12: All the mandatory parts contained in the bundle.ini to launch the banking app
As soon as the bundle.ini file is populated with key information from the authentic banking software—comparable to its bundle identify, libraries, and different parts—the malware is able to launch the virtualized model.
When victims try to make use of their unique banking app, the GodFather malware mimics their actions and redirects them to its StubActivity, leveraging the accessibility service to realize this seamless, misleading launch.
At any time when the sufferer makes an attempt to open the actual banking software (Fig. 13), the malware intercepts the unique Intent to launch the authentic app and generates a pretend Intent that launches a digital app designed to imitate the banking software (Fig. 14)
Fig. 13: Authentic Banking software intent
Fig. 14: Pretend intent to launch the Digital app to imitate the banking software
The malware first replaces the system’s normal Exercise Supervisor with its personal customized proxy. With this management, it dictates how functions launched from its virtualized setting (VApp) behave.
It finely tunes launch behaviors inside this digital house, managing features like:
- The exercise’s launch mode (normal or singleTask).
- Whether or not to reuse an current activity or provoke a brand new one.
- If it ought to ship a brand new intent or spawn a brand new course of.
Moreover, the malware assigns a digital course of ID (vpid) to the exercise. It then picks a placeholder “stub” exercise (Fig. 15) from the principle host software to behave as a bridge, enabling the virtualized app’s true exercise to execute throughout the host setting. This complete course of is essential to how the malware seamlessly integrates and runs its misleading banking apps.
Fig. 15: Stub exercise the place the virtualized app mimics the goal financial institution
Hooking Strategies to Harvest Credentials
The malware is designed in a approach that hooks completely different strategies relying on the banking software (Fig. 16).
Fig. 16: Completely different hooks relying on the goal app virtualized
The code on Fig. 17 makes use of Xposed hooking framework to intercept and manipulate the community connections. Particularly, it hooks the construct() technique of the OkHttpClient.Builder class, which is a part of the favored OkHttp networking library utilized by many Android apps for dealing with HTTP requests. When a focused app makes an attempt to instanciate its OkHttp consumer, this hook injects a customized interceptor into the consumer’s configuration. The injected interceptor is a dynamically generated proxy object that enables the malware to log community requests and responses made by the app.
Fig. 17: Community hooks utilized by the malware
The malware customizes its information interception technique based mostly on the precise banking app it is concentrating on. It does this by checking for distinctive identifiers throughout the app’s bundle identify. As soon as a selected financial institution app is detected, the malware creates a specialised, malicious InterceptorHandler designed to intercept and document delicate info particularly from that software. This functionality gives a direct pathway for attackers to seize and exfiltrate delicate information, together with person credentials.
At runtime, GodFather intercepts and modifies the conduct of key APIs, comparable to getEnabledAccessibilityServiceList (Fig. 18).
Fig. 18: Hooking the getEnabledAccessilibityServiceList API
This API returns a listing of energetic accessibility providers and is often utilized by banking apps to detect screenreaders or malicious providers which are “observing” the display. The malware hooks these strategies to return again an empty record (Fig. 19), hiding themselves and all the opposite energetic providers.
Fig. 19: Return an empty record for this technique
Stealing by way of the Gadget Lock Display
A very alarming functionality uncovered within the GodFather malware is its capability to steal machine lock credentials, regardless of whether or not the sufferer makes use of an unlock sample, a PIN, or a password. This poses a big menace to person privateness and machine safety.
Which means even a strong lock display gives little safety in opposition to GodFather. The malware does not try and guess the lock, as an alternative, it deploys a misleading overlay (Fig. 20) designed to trick the person into revealing their credentials. This overlay seemingly mimics the looks of a authentic lock display or seems inside an software prompting for such delicate info. When a person interacts with this malicious overlay by inputting their sample, PIN, or password, the malware information these crucial particulars.
Fig. 20: Overlay proven to the sufferer to steal credentials
Distant Management The Gadget
To regulate contaminated units and perform its malicious operations, the GodFather malware depends on a particular set of instructions. These instructions dictate the malware’s conduct, permitting menace actors to remotely handle varied functionalities. The desk under particulars all of the instructions at present supported by the GodFather malware, outlining their goal and enabling a clearer understanding of its capabilities.
|
Command |
Description |
|
setdata |
Units the worth of place X and Y |
|
backed |
Takes the person to the earlier display |
|
dwelling |
Takes the person to dwelling display |
|
recents |
Take the person to the current display |
|
scrollforwad |
Scrolls the web page ahead |
|
scrollback |
Scrolls the web page backward |
|
opencontrol |
Carry out gestures on the goal app |
|
setpattern |
Receives worth from the server and saves it to “computer” variable |
|
screenlight |
Manges the brightness on the display |
|
sl2 |
Setting WakeLock with display wake-up and shops it so it may be manually launched later |
|
sl3 |
makes use of a fundamental CPU-only WakeLock with out storing or releasing it |
|
autopattern |
The worth obtained utilizing “setpattern” command is used to insert on the machine display utilizing the accessibility service. |
|
csn |
Set the timer to provoke the WebSocket connection |
|
swpfull |
Carry out full swipe operation |
|
upswp |
Carry out swipe up |
|
downswp |
Carry out swipe down |
|
leftswp |
Carry out swipe left |
|
rightswp |
Carry out swipe proper |
|
opnap |
Opens an software relying on the bundle identify obtained from the server |
|
blackscreen |
Turns the display black |
|
sunblack |
Shows a pretend replace overlay with “Güncelleme kuruluyor..” |
|
blackoffscreen |
Turns off the black display |
|
getblck |
will get the present battery stage (as a share) |
|
gif |
Hundreds a gif to allow accessibility providers |
|
setDuration |
Units a period of 500 ms |
|
setaDuration |
Units a period of 1500 ms utilized in some swipe gestures on the display |
|
opnsttngs |
Opens setting app |
|
opnsound |
Opens sound setting |
|
opnmsc |
opens the notification settings display for the present default SMS app |
|
opnpckg |
Opens app notification settings relying on the bundle identify obtained from server |
|
phonelock |
Exhibits lock overlay relying on the pin/password/sample |
|
downapp |
Opens https://google.com/ if chrome is put in |
|
upScroll |
Performs upward scroll |
|
downScroll |
Performs downward scroll |
|
distru |
Shops a listing of focused app bundle names in inner storage for later use in accessibility-triggered app blocking |
|
notifiopen |
Opens a notification drawer |
Desk 2: Record of instructions utilized by GodFather
Classical Overlay Method
Past its superior virtualization strategies, the GodFather malware additionally continues to make use of conventional overlay assaults, putting misleading screens immediately over authentic functions (Fig. 21). This twin strategy highlights the menace actors’ exceptional adaptability of their strategies. Investigations have revealed roughly 484 focused functions, with the precise targets being obtained from the C2 server in a Base64-encoded format.
Fig. 21: Conventional overlay obtained from server
Record of Focused Apps
The record of functions represents a big and widespread concentrating on effort (a whole bunch of well-liked functions), compromising main functions utilized by a whole bunch of tens of millions of individuals globally. The targets could be categorized into a number of key verticals:
World Funds, E-commerce, and Providers
The marketing campaign targets top-tier international manufacturers which are family names in digital commerce and providers. This consists of main digital fee platforms with a whole bunch of tens of millions of energetic customers and billions of downloads, in addition to the world’s hottest on-line buying apps. The record additionally extends to main on-line public sale websites, widely-used ride-sharing and meals supply providers, and top-tier media streaming platforms, indicating a broad effort to seize credentials throughout a large swath of day by day digital life.
World Social Media and Communication
The malware targets the world’s hottest communication platforms. This consists of the main encrypted messaging service with over 5 billion downloads, in addition to the dominant social media messaging and photo-sharing apps, every with billions of customers. Compromising these platforms provides menace actors entry to an enormous and deeply private set of person information.
Monetary and Banking Functions (World)
The concentrating on is exceptionally complete within the banking sector, protecting main monetary establishments throughout North America, Europe, and Turkey. In the US, the record consists of almost each main nationwide financial institution, outstanding funding and brokerage corporations, and well-liked peer-to-peer fee apps. In the UK and Canada, the most important and most generally used retail and industrial banking functions are focused. The marketing campaign can be in depth throughout Europe, with main banks in Germany, Spain, France, and Italy included within the goal record.
Cryptocurrency Exchanges and Wallets
This is without doubt one of the most exhaustive goal classes, highlighting a transparent give attention to stealing digital property. The malware targets over 100 distinct cryptocurrency functions. This consists of the world’s largest and hottest crypto exchanges, every serving tens of tens of millions of customers. The record additionally consists of dozens of essentially the most broadly used software program and cell wallets for storing digital property, in addition to the official companion apps for main {hardware} wallets. This widespread effort signifies a strategic aim to compromise customers throughout your complete crypto ecosystem, from informal traders to seasoned merchants.
MITRE ATT&CK Methods
To assist our prospects and the business perceive the affect of this malware, Zimperium has compiled the next desk containing the MITRE Techniques and Methods as reference.
|
Tactic |
ID |
Identify |
Description |
|
Preliminary Entry |
Phishing |
Adverseries host phishing websites to obtain malicious functions |
|
|
Persistence |
Scheduled Job/Job |
Makes use of timer to provoke WebSocket connection |
|
|
Course of Injection |
Course of Injection |
Godfather has injected malicious code and a hooking framework by means of a virtualization answer, i.e. Virtualization Answer, into the method of the hosted software |
|
|
Protection Evasion |
Masquerading: Match Official Identify or Location |
Malware pretending to be a real Music software |
|
|
Virtualization Answer |
Godfather makes use of Virtualization answer to position overlay on high of banking functions |
||
|
Hooking |
GodFather makes use of Hooking framework in number of methods, together with returning false info to detection mechanisms |
||
|
Enter Injection |
Malware can mimic person interplay, carry out clicks and varied gestures, and enter information |
||
|
Obfuscated Recordsdata or Data: Software program Packing |
The malware is obfuscated and makes use of a zip manipulation approach |
||
|
Credential Entry |
Enter Seize: Keylogging |
It has a keylogger characteristic |
|
|
Discovery |
Software program Discovery |
Malware collects put in software bundle record |
|
|
System Data Discovery |
The malware collects fundamental machine info. |
||
|
Assortment |
Enter Seize: Keylogging |
Malware can seize keystrokes |
|
|
Command and Management |
Internet Service: Useless Drop Resolver |
Malware communicates with Telegram to fetch C&C server |
|
|
Exfiltration |
Exfiltration Over C2 Channel |
Sending exfiltrated information over C&C server |
|
|
Influence |
Enter Injection |
It shows inject payloads like sample lock and mimics banking apps login display by means of overlay and steal credentials. |
IOCs
The record of IOC’s could be discovered right here GodFather IOC’s
