codesanitize

Government Abstract

Zimperium zLabs has uncovered a classy evolution of the GodFather banking malware that leverages a sophisticated on-device virtualization approach to hijack a number of authentic functions, with a give attention to cell banking and cryptocurrency functions. This technique marks a big leap in cell menace capabilities, shifting past conventional overlays to a extra misleading and efficient type of assault.

The core of this novel approach is the malware’s potential to create an entire, remoted digital setting on the sufferer’s machine. As a substitute of merely mimicking a login display, the malware installs a malicious “host” software that incorporates a virtualization framework. This host then downloads and runs a duplicate of the particular focused banking or cryptocurrency app inside its managed sandbox. When a person launches their app, they’re seamlessly redirected to this virtualized occasion, the place each motion, faucet, and information entry is monitored and managed by the malware at runtime.

This virtualization approach gives attackers with a number of crucial benefits over beforehand seen malware. By operating the authentic app inside a managed setting, attackers achieve complete visibility into the appliance’s processes, permitting them to intercept credentials and delicate information in real-time. The malware could be managed remotely and in addition use hooking frameworks to change the conduct of the virtualized app, successfully bypassing safety checks comparable to root detection. Along with this core approach, GodFather has advanced its evasive maneuvers, using ZIP manipulation and shifting code to the Java layer to defeat static evaluation instruments. Crucially, as a result of the person is interacting with the actual, unaltered software, the assault achieves good deception, making it almost unattainable to detect by means of visible inspection and neutralizing person vigilance.

The affect of this assault vector is extreme. Whereas this GodFather marketing campaign casts a large internet, concentrating on almost 500 functions globally, our evaluation reveals that this extremely subtle virtualization assault is at present centered on a dozen Turkish monetary establishments. This discovery represents a big leap in functionality past beforehand documented analysis like “FjordPhantom” and the latest publicly out there evaluation reported by Cyble in November 2024. The malware grants attackers the flexibility to steal a variety of login credentials, from usernames and passwords to machine PINs, finally resulting in a full account takeover. Finally, this virtualization approach erodes the elemental belief between a person and their cell functions, rendering the machine itself an untrusted setting the place even authentic apps could be changed into instruments for espionage and theft.

Technical Evaluation

Evasive ZIP Methods

All the newest samples of GodFather discovered by our analysis workforce are utilizing a really comparable strategy of ZIP manipulation. Menace actors are altering the ZIP format of APK recordsdata (Fig.1) and tampering with the construction of Android Manifest recordsdata to bypass static evaluation instruments and keep away from detection.

Particularly, the samples exhibit two key traits:

1. Basic Objective flag enabled: The APK incorporates the bit 00 of the Basic Objective Flags enabled. This tips some evaluation instruments into believing the APK is encrypted and requires a password for decompression, hindering their potential to investigate the file.
2. Including further discipline identify: The samples embody a further discipline identify, “$JADXBLOCK” which references an open-source decompiler. This seemingly serves to additional mislead or hinder evaluation.

Fig. 1: Instance of Native File Header for AndroidManifest.xml

Accessibility Providers, Obfuscation and Code Shift

Identical to earlier variations, the newest GodFather malware depends on Android’s accessibility providers and only some permissions to commit fraud. However there is a new twist: its Android manifest is now obfuscated with irrelevant permissions and manifest strings, particularly designed to thwart static evaluation and problem reverse engineers. It was additionally doable to note that the attackers have moved a lot of the malicious code from the native layer to the Java layer.

The Identical Previous Dropper Approach

The malware makes use of a session based mostly set up approach (Fig. 2) to put in the precise payload on the sufferer’s machine, in an effort to bypass the accessibility permissions restrictions. It presents a message stating (Fig. 3), “That you must grant permission to make use of all of the options of the appliance”, which is designed to lure victims into unknowingly putting in the malware.

The malware hides its major payload within the property folder. As soon as a sufferer falls for the trick and proceeds with the set up, the malware instantly requests accessibility permissions. If these are granted, the malware can then covertly grant itself extra permissions by overlaying content material on the display, all with out the person’s consciousness or consent.

Fig. 2: The launcher set up the asset apk utilizing session based mostly set up          

Fig. 3: The appliance request for accessibility and machine app and notification permission

C&C Communication

The GodFather malware retains all its crucial info, comparable to its C2 communication particulars and a listing of focused banks, in its shared choice. A Base64-encoded C2 URL is embedded inside these preferences, permitting the malware to hook up with its command server (Fig. 4).

Fig. 4: Malicious C&C in Base64

As soon as a sufferer grants accessibility permissions, the malware instantly sends details about the display to the server, together with detailed faucet occasions captured by the Accessibility Service (Fig.5). Which means GodFather has the flexibility to primarily “see” each contact, swipe, and faucet that the person makes on the display, no matter which app is at present open.

Fig. 5: Some info collected from accessibility is shipped to the C2

Uncovering New Capabilities

Overlay Utilizing Virtualization and Hooking Frameworks

The Malware is assembled utilizing a number of authentic open-source instruments like Virtualapp, Xposedbridge, XposedInstaller, Xposed to execute its overlay assaults. It exploits the authentic capabilities of those instruments, like their potential to virtualize apps in sandboxed environments and hook into particular software programming interfaces (APIs), each to make sure its malicious code runs easily in these digital areas and to extract essential information.

How does virtualization work?

The strategy utilized by GodFather depends on a virtualization approach wherein a single app acts as a container probably able to operating a number of different apps. These secondary apps known as hosted apps are usually not put in immediately onto the Android system. As a substitute, they’re positioned inside a digital filesystem (Fig. 7) managed by the host app. When considered one of these hosted apps is launched, the host creates a brand new course of (Fig. 6), hundreds the hosted app into it, after which executes it. 

The method accountable to execute the virtualized app is com.heb.reb:va_core.

Fig. 6: Record of course of when the app virtualized is operating

Fig. 7: Malware creating digital setting contained in the host app

GodFather Malware: A Toolkit for Overlay Assaults

GodFather first gathers a listing of all functions put in on the sufferer’s machine, particularly checking for a predetermined record of focused apps (Fig.8).

Fig. 8: Record of put in apps despatched to the C2

If any of the under listed functions are already put in on the victims machine, then the malware downloads and installs (Fig. 9) Google playstore,Google play providers and Google Providers Framework APK and writes it to the digital folder (Fig. 10).

Fig. 9: Downloading playstore,play providers,Google Providers Framework APK’s

Fig. 10: Data on the digital setting created

Desk 1: Record of banks which are focused by the malware

The malware extracts important info from focused banking functions already put in on the machine. It then makes use of this information to generate a cache file named bundle.ini, which incorporates all the mandatory particulars to launch these particular banking apps inside its digital setting whereas preserving person classes.

The malware follows a exact, multi-step course of for this:

1. APK parsing: evaluation of the APKs of the focused apps
2. Non-public House Preparation: The malware units up a devoted, non-public house inside its digital setting and copies over all of the recordsdata wanted for the banking software to run there.
3. Completion Notification: It alerts that these preparatory steps are full.

Data gathered from the focused functions working throughout the digital setting is subsequently transformed right into a serializable format (Fig. 11).

Fig. 11: Bundle.ini and signature.ini recordsdata created within the software folder

This serialized information is cached as bundle.ini and certificates.ini recordsdata on disk (Fig. 12).

Fig. 12: All the mandatory parts contained in the bundle.ini to launch the banking app

As soon as the bundle.ini file is populated with key information from the authentic banking software—comparable to its bundle identify, libraries, and different parts—the malware is able to launch the virtualized model.

When victims try to make use of their unique banking app, the GodFather malware mimics their actions and redirects them to its StubActivity, leveraging the accessibility service to realize this seamless, misleading launch.

At any time when the sufferer makes an attempt to open the actual banking software (Fig. 13), the malware intercepts the unique Intent to launch the authentic app and generates a pretend Intent that launches a digital app designed to imitate the banking software (Fig. 14)

Fig. 13: Authentic Banking software intent

Fig. 14:  Pretend intent to launch the Digital app to imitate the banking software

The malware first replaces the system’s normal Exercise Supervisor with its personal customized proxy. With this management, it dictates how functions launched from its virtualized setting (VApp) behave.

It finely tunes launch behaviors inside this digital house, managing features like:

• The exercise’s launch mode (normal or singleTask).
• Whether or not to reuse an current activity or provoke a brand new one.
• If it ought to ship a brand new intent or spawn a brand new course of.

Moreover, the malware assigns a digital course of ID (vpid) to the exercise. It then picks a placeholder “stub” exercise (Fig. 15) from the principle host software to behave as a bridge, enabling the virtualized app’s true exercise to execute throughout the host setting. This complete course of is essential to how the malware seamlessly integrates and runs its misleading banking apps.

Fig. 15: Stub exercise the place the virtualized app mimics the goal financial institution 

Hooking Strategies to Harvest Credentials

The malware is designed in a approach that hooks completely different strategies relying on the banking software (Fig. 16).

Fig. 16:  Completely different hooks relying on the goal app virtualized 

The code on Fig. 17 makes use of Xposed hooking framework to intercept and manipulate the community connections. Particularly, it hooks the construct() technique of the OkHttpClient.Builder class, which is a part of the favored OkHttp networking library utilized by many Android apps for dealing with HTTP requests. When a focused app makes an attempt to instanciate its OkHttp consumer, this hook injects a customized interceptor into the consumer’s configuration. The injected interceptor is a dynamically generated proxy object that enables the malware to log community requests and responses made by the app.

Fig. 17:  Community hooks utilized by the malware

The malware customizes its information interception technique based mostly on the precise banking app it is concentrating on. It does this by checking for distinctive identifiers throughout the app’s bundle identify. As soon as a selected financial institution app is detected, the malware creates a specialised, malicious InterceptorHandler designed to intercept and document delicate info particularly from that software. This functionality gives a direct pathway for attackers to seize and exfiltrate delicate information, together with person credentials. 

At runtime, GodFather intercepts and modifies the conduct of key APIs, comparable to getEnabledAccessibilityServiceList (Fig. 18).

Fig. 18:  Hooking the getEnabledAccessilibityServiceList API

This API returns a listing of energetic accessibility providers and is often utilized by banking apps to detect screenreaders or malicious providers which are “observing” the display. The malware hooks these strategies to return again an empty record (Fig. 19), hiding themselves and all the opposite energetic providers.

Fig. 19:  Return an empty record for this technique

Stealing by way of the Gadget Lock Display

A very alarming functionality uncovered within the GodFather malware is its capability to steal machine lock credentials, regardless of whether or not the sufferer makes use of an unlock sample, a PIN, or a password. This poses a big menace to person privateness and machine safety. 

Which means even a strong lock display gives little safety in opposition to GodFather. The malware does not try and guess the lock, as an alternative, it deploys a misleading overlay (Fig. 20) designed to trick the person into revealing their credentials. This overlay seemingly mimics the looks of a authentic lock display or seems inside an software prompting for such delicate info. When a person interacts with this malicious overlay by inputting their sample, PIN, or password, the malware information these crucial particulars.

Fig. 20:  Overlay proven to the sufferer to steal credentials

Distant Management The Gadget

To regulate contaminated units and perform its malicious operations, the GodFather malware depends on a particular set of instructions. These instructions dictate the malware’s conduct, permitting menace actors to remotely handle varied functionalities. The desk under particulars all of the instructions at present supported by the GodFather malware, outlining their goal and enabling a clearer understanding of its capabilities.

Desk 2: Record of instructions utilized by GodFather

Classical Overlay Method

Past its superior virtualization strategies, the GodFather malware additionally continues to make use of conventional overlay assaults, putting misleading screens immediately over authentic functions (Fig. 21). This twin strategy highlights the menace actors’ exceptional adaptability of their strategies. Investigations have revealed roughly 484 focused functions, with the precise targets being obtained from the C2 server in a Base64-encoded format.

Fig. 21: Conventional overlay obtained from server 

Record of Focused Apps

​The record of functions represents a big and widespread concentrating on effort (a whole bunch of well-liked functions), compromising main functions utilized by a whole bunch of tens of millions of individuals globally. The targets could be categorized into a number of key verticals:

World Funds, E-commerce, and Providers

The marketing campaign targets top-tier international manufacturers which are family names in digital commerce and providers. This consists of main digital fee platforms with a whole bunch of tens of millions of energetic customers and billions of downloads, in addition to the world’s hottest on-line buying apps. The record additionally extends to main on-line public sale websites, widely-used ride-sharing and meals supply providers, and top-tier media streaming platforms, indicating a broad effort to seize credentials throughout a large swath of day by day digital life.

World Social Media and Communication

The malware targets the world’s hottest communication platforms. This consists of the main encrypted messaging service with over 5 billion downloads, in addition to the dominant social media messaging and photo-sharing apps, every with billions of customers. Compromising these platforms provides menace actors entry to an enormous and deeply private set of person information.

Monetary and Banking Functions (World)

The concentrating on is exceptionally complete within the banking sector, protecting main monetary establishments throughout North America, Europe, and Turkey. In the US, the record consists of almost each main nationwide financial institution, outstanding funding and brokerage corporations, and well-liked peer-to-peer fee apps. In the UK and Canada, the most important and most generally used retail and industrial banking functions are focused. The marketing campaign can be in depth throughout Europe, with main banks in Germany, Spain, France, and Italy included within the goal record.

Cryptocurrency Exchanges and Wallets

This is without doubt one of the most exhaustive goal classes, highlighting a transparent give attention to stealing digital property. The malware targets over 100 distinct cryptocurrency functions. This consists of the world’s largest and hottest crypto exchanges, every serving tens of tens of millions of customers. The record additionally consists of dozens of essentially the most broadly used software program and cell wallets for storing digital property, in addition to the official companion apps for main {hardware} wallets. This widespread effort signifies a strategic aim to compromise customers throughout your complete crypto ecosystem, from informal traders to seasoned merchants.

MITRE ATT&CK Methods

To assist our prospects and the business perceive the affect of this malware, Zimperium has compiled the next desk containing the MITRE Techniques and Methods as reference. 

IOCs

The record of IOC’s could be discovered right here GodFather IOC’s