{
	"id": "a2dc8f68-0e25-46c9-8e0d-a8a2e0b99664",
	"created_at": "2026-04-06T00:18:06.45839Z",
	"updated_at": "2026-04-10T03:20:34.607834Z",
	"deleted_at": null,
	"sha1_hash": "d78e749790fe521114ae301ec9e459e205d91db7",
	"title": "Your Mobile App, Their Playground: The Dark side of the Virtualization - Zimperium",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3219231,
	"plain_text": "Your Mobile App, Their Playground: The Dark side of the\r\nVirtualization - Zimperium\r\nBy Fernando Ortega\r\nPublished: 2025-06-18 · Archived: 2026-04-05 20:41:21 UTC\r\nExecutive Summary\r\nZimperium zLabs has uncovered a sophisticated evolution of the GodFather banking malware that leverages an\r\nadvanced on-device virtualization technique to hijack several legitimate applications, with a focus on mobile\r\nbanking and cryptocurrency applications. This method marks a significant leap in mobile threat capabilities,\r\nmoving beyond traditional overlays to a more deceptive and effective form of attack.\r\nThe core of this novel technique is the malware's ability to create a complete, isolated virtual environment on the\r\nvictim's device. Instead of simply mimicking a login screen, the malware installs a malicious \"host\" application\r\nthat contains a virtualization framework. This host then downloads and runs a copy of the actual targeted banking\r\nor cryptocurrency app within its controlled sandbox. When a user launches their app, they are seamlessly\r\nredirected to this virtualized instance, where every action, tap, and data entry is monitored and controlled by the\r\nmalware at runtime.\r\nThis virtualization technique provides attackers with several critical advantages over previously seen malware. By\r\nrunning the legitimate app inside a controlled environment, attackers gain total visibility into the application's\r\nprocesses, allowing them to intercept credentials and sensitive data in real-time. The malware can be controlled\r\nremotely and also use hooking frameworks to modify the behavior of the virtualized app, effectively bypassing\r\nsecurity checks such as root detection. In addition to this core technique, GodFather has evolved its evasive\r\nmaneuvers, employing ZIP manipulation and shifting code to the Java layer to defeat static analysis tools.\r\nCrucially, because the user is interacting with the real, unaltered application, the attack achieves perfect deception,\r\nmaking it nearly impossible to detect through visual inspection and neutralizing user vigilance.\r\nThe impact of this attack vector is severe. While this GodFather campaign casts a wide net, targeting nearly 500\r\napplications globally, our analysis reveals that this highly sophisticated virtualization attack is currently focused\r\non a dozen Turkish financial institutions. This discovery represents a significant leap in capability beyond\r\npreviously documented research like \"FjordPhantom\" and the most recent publicly available analysis reported by\r\nCyble in November 2024. The malware grants attackers the ability to steal a wide range of login credentials, from\r\nusernames and passwords to device PINs, ultimately leading to a full account takeover. Ultimately, this\r\nvirtualization technique erodes the fundamental trust between a user and their mobile applications, rendering the\r\ndevice itself an untrusted environment where even legitimate apps can be turned into tools for espionage and theft.\r\nTechnical Analysis\r\nEvasive ZIP Techniques\r\nhttps://zimperium.com/blog/your-mobile-app-their-playground-the-dark-side-of-the-virtualization\r\nPage 1 of 20\n\nAll the latest samples of GodFather found by our research team are using a very similar technique of ZIP\r\nmanipulation. Threat actors are altering the ZIP format of APK files (Fig.1) and tampering with the structure of\r\nAndroid Manifest files to bypass static analysis tools and avoid detection.\r\nSpecifically, the samples exhibit two key characteristics:\r\n1. General Purpose flag enabled: The APK contains the bit 00 of the General Purpose Flags enabled. This\r\ntricks some analysis tools into believing the APK is encrypted and requires a password for decompression,\r\nhindering their ability to analyze the file.\r\n2. Adding extra field name: The samples include an additional field name, “$JADXBLOCK” which\r\nreferences an open-source decompiler. This likely serves to further mislead or obstruct analysis.\r\nFig. 1: Example of Local File Header for AndroidManifest.xml\r\nAccessibility Services, Obfuscation and Code Shift\r\nJust like earlier versions, the latest GodFather malware relies on Android's accessibility services and only a few\r\npermissions to commit fraud. But there's a new twist: its Android manifest is now obfuscated with irrelevant\r\npermissions and manifest strings, specifically designed to thwart static analysis and challenge reverse engineers.\r\nIt was also possible to notice that the attackers have moved much of the malicious code from the native layer to\r\nthe Java layer.\r\nThe Same Old Dropper Technique\r\nThe malware uses a session based installation technique (Fig. 2) to install the actual payload on the victim’s\r\ndevice, in order to bypass the accessibility permissions restrictions. It presents a message stating (Fig. 3), “You\r\nneed to grant permission to use all the features of the application”, which is designed to lure victims into\r\nunknowingly installing the malware.\r\nThe malware hides its main payload in the assets folder. Once a victim falls for the trick and proceeds with the\r\ninstallation, the malware immediately requests accessibility permissions. If these are granted, the malware can\r\nthen covertly grant itself additional permissions by overlaying content on the screen, all without the user's\r\nawareness or consent.\r\nhttps://zimperium.com/blog/your-mobile-app-their-playground-the-dark-side-of-the-virtualization\r\nPage 2 of 20\n\nFig. 2: The launcher install the asset apk using session based installation          \r\nhttps://zimperium.com/blog/your-mobile-app-their-playground-the-dark-side-of-the-virtualization\r\nPage 3 of 20\n\nFig. 3: The application request for accessibility and device app and notification permission\r\nC\u0026C Communication\r\nThe GodFather malware keeps all its critical information, such as its C2 communication details and a list of\r\ntargeted banks, in its shared preference. A Base64-encoded C2 URL is embedded within these preferences,\r\nallowing the malware to connect to its command server (Fig. 4).\r\nFig. 4: Malicious C\u0026C in Base64\r\nOnce a victim grants accessibility permissions, the malware immediately sends information about the screen to the\r\nserver, including detailed tap events captured by the Accessibility Service (Fig.5). This means that GodFather has\r\nthe ability to essentially \"see\" every touch, swipe, and tap that the user makes on the screen, regardless of which\r\napp is currently open.\r\nhttps://zimperium.com/blog/your-mobile-app-their-playground-the-dark-side-of-the-virtualization\r\nPage 4 of 20\n\nFig. 5: Some information collected from accessibility is sent to the C2\r\nUncovering New Capabilities\r\nOverlay Using Virtualization and Hooking Frameworks\r\nThe Malware is assembled using several legitimate open-source tools like Virtualapp, Xposedbridge,\r\nXposedInstaller, Xposed to execute its overlay attacks. It exploits the legitimate capabilities of these tools, like\r\ntheir ability to virtualize apps in sandboxed environments and hook into specific application programming\r\ninterfaces (APIs), both to ensure its malicious code runs smoothly in these virtual spaces and to extract crucial\r\ndata.\r\nHow does virtualization work?\r\nThe approach used by GodFather relies on a virtualization technique in which a single app acts as a container\r\npotentially capable of running multiple other apps. These secondary apps referred to as hosted apps are not\r\ninstalled directly onto the Android system. Instead, they are placed within a virtual filesystem (Fig. 7) managed by\r\nthe host app. When one of these hosted apps is launched, the host creates a new process (Fig. 6), loads the hosted\r\napp into it, and then executes it. \r\nThe process responsible to execute the virtualized app is com.heb.reb:va_core.\r\nFig. 6: List of process when the app virtualized is running\r\nhttps://zimperium.com/blog/your-mobile-app-their-playground-the-dark-side-of-the-virtualization\r\nPage 5 of 20\n\nFig. 7: Malware creating virtual environment inside the host app\r\nGodFather Malware: A Toolkit for Overlay Attacks\r\nGodFather first gathers a list of all applications installed on the victim's device, specifically checking for a\r\npredetermined list of targeted apps (Fig.8).\r\nFig. 8: List of installed apps sent to the C2\r\nIf any of the below listed applications are already installed on the victims device, then the malware downloads and\r\ninstalls (Fig. 9) Google playstore,Google play services and Google Services Framework APK and writes it to\r\nthe virtual folder (Fig. 10).\r\nhttps://zimperium.com/blog/your-mobile-app-their-playground-the-dark-side-of-the-virtualization\r\nPage 6 of 20\n\nFig. 9: Downloading playstore,play services,Google Services Framework APK’s\r\nFig. 10: Information on the virtual environment created\r\nPackage name  Bank Name\r\ncom.akbank.android.apps.akbank_direkt Akbank Mobile\r\ncom.fibabanka.Fibabanka.mobile Fibabanka\r\ncom.garanti.cepsubesi Garanti BBVA Mobile\r\ncom.tmobtech.halkbank Halkbank Mobil\r\ncom.ingbanktr.ingmobil ING Mobil\r\naz.kapitalbank.mbanking Birbank\r\ncom.kuveytturk.mobil Kuveyt Türk Mobile\r\ncom.pozitron.iscep İşCep: Banking \u0026 Finance\r\ntr.com.sekerbilisim.mbank Şeker Mobil\r\ncom.tfkb Türkiye Finans Mobile\r\ncom.ykb.android Yapı Kredi Mobile\r\nhttps://zimperium.com/blog/your-mobile-app-their-playground-the-dark-side-of-the-virtualization\r\nPage 7 of 20\n\ncom.ziraat.ziraatmobil Ziraat Mobile\r\nTable 1: List of banks that are targeted by the malware\r\nThe malware extracts essential information from targeted banking applications already installed on the device. It\r\nthen uses this data to generate a cache file named package.ini, which contains all the necessary details to launch\r\nthese specific banking apps within its virtual environment while preserving user sessions.\r\nThe malware follows a precise, multi-step process for this:\r\n1. APK parsing: analysis of the APKs of the targeted apps\r\n2. Private Space Preparation: The malware sets up a dedicated, private space within its virtual environment\r\nand copies over all the files needed for the banking application to run there.\r\n3. Completion Notification: It signals that these preparatory steps are complete.\r\nInformation gathered from the targeted applications operating within the virtual environment is subsequently\r\nconverted into a serializable format (Fig. 11).\r\nFig. 11: Package.ini and signature.ini files created in the application folder\r\nThis serialized data is cached as package.ini and certificate.ini files on disk (Fig. 12).\r\nFig. 12: All the necessary components inside the package.ini to launch the banking app\r\nhttps://zimperium.com/blog/your-mobile-app-their-playground-the-dark-side-of-the-virtualization\r\nPage 8 of 20\n\nOnce the package.ini file is populated with key data from the legitimate banking application—such as its package\r\nname, libraries, and other components—the malware is ready to launch the virtualized version.\r\nWhen victims attempt to use their original banking app, the GodFather malware mimics their actions and redirects\r\nthem to its StubActivity, leveraging the accessibility service to achieve this seamless, deceptive launch.\r\nWhenever the victim attempts to open the real banking application (Fig. 13), the malware intercepts the original\r\nIntent to launch the legitimate app and generates a fake Intent that launches a virtual app designed to mimic the\r\nbanking application (Fig. 14)\r\nFig. 13: Original Banking application intent\r\nFig. 14:  Fake intent to launch the Virtual app to mimic the banking application\r\nThe malware first replaces the system's standard Activity Manager with its own custom proxy. With this\r\ncontrol, it dictates how applications launched from its virtualized environment (VApp) behave.\r\nIt finely tunes launch behaviors within this virtual space, managing aspects like:\r\nThe activity's launch mode (standard or singleTask).\r\nWhether to reuse an existing task or initiate a new one.\r\nIf it should deliver a new intent or spawn a new process.\r\nAdditionally, the malware assigns a virtual process ID (vpid) to the activity. It then picks a placeholder \"stub\"\r\nactivity (Fig. 15) from the main host application to act as a bridge, enabling the virtualized app's true activity to\r\nexecute within the host environment. This entire process is key to how the malware seamlessly integrates and runs\r\nits deceptive banking apps.\r\nhttps://zimperium.com/blog/your-mobile-app-their-playground-the-dark-side-of-the-virtualization\r\nPage 9 of 20\n\nFig. 15: Stub activity where the virtualized app mimics the target bank \r\nHooking Methods to Harvest Credentials\r\nThe malware is designed in a way that hooks different methods depending on the banking application (Fig. 16).\r\nhttps://zimperium.com/blog/your-mobile-app-their-playground-the-dark-side-of-the-virtualization\r\nPage 10 of 20\n\nFig. 16:  Different hooks depending on the target app virtualized \r\nThe code on Fig. 17 uses Xposed hooking framework to intercept and manipulate the network connections.\r\nSpecifically, it hooks the build() method of the OkHttpClient.Builder class, which is part of the popular OkHttp\r\nnetworking library used by many Android apps for handling HTTP requests. When a targeted app attempts to\r\ninstanciate its OkHttp client, this hook injects a custom interceptor into the client’s configuration. The injected\r\ninterceptor is a dynamically generated proxy object that allows the malware to log network requests and responses\r\nmade by the app.\r\nhttps://zimperium.com/blog/your-mobile-app-their-playground-the-dark-side-of-the-virtualization\r\nPage 11 of 20\n\nFig. 17:  Network hooks used by the malware\r\nThe malware customizes its data interception strategy based on the specific banking app it's targeting. It does this\r\nby checking for unique identifiers within the app's package name. Once a particular bank app is detected, the\r\nmalware creates a specialized, malicious InterceptorHandler designed to intercept and record sensitive\r\ninformation specifically from that application. This capability provides a direct pathway for attackers to capture\r\nand exfiltrate sensitive data, including user credentials. \r\nAt runtime, GodFather intercepts and modifies the behavior of key APIs, such as\r\ngetEnabledAccessibilityServiceList (Fig. 18).\r\nFig. 18:  Hooking the getEnabledAccessilibityServiceList API\r\nThis API returns a list of active accessibility services and is commonly used by banking apps to detect\r\nscreenreaders or malicious services that are “observing” the screen. The malware hooks these methods to return\r\nback an empty list (Fig. 19), hiding themselves and all the other active services.\r\nFig. 19:  Return an empty list for this method\r\nhttps://zimperium.com/blog/your-mobile-app-their-playground-the-dark-side-of-the-virtualization\r\nPage 12 of 20\n\nStealing via the Device Lock Screen\r\nA particularly alarming capability uncovered in the GodFather malware is its capacity to steal device lock\r\ncredentials, irrespective of whether the victim uses an unlock pattern, a PIN, or a password. This poses a\r\nsignificant threat to user privacy and device security. \r\nThis means that even a robust lock screen offers little protection against GodFather. The malware doesn't attempt\r\nto guess the lock, instead, it deploys a deceptive overlay (Fig. 20) designed to trick the user into revealing their\r\ncredentials. This overlay likely mimics the appearance of a legitimate lock screen or appears within an application\r\nprompting for such sensitive information. When a user interacts with this malicious overlay by inputting their\r\npattern, PIN, or password, the malware records these critical details.\r\nFig. 20:  Overlay shown to the victim to steal credentials\r\nRemote Control The Device\r\nTo control infected devices and carry out its malicious operations, the GodFather malware relies on a specific set\r\nof commands. These commands dictate the malware's behavior, allowing threat actors to remotely manage various\r\nfunctionalities. The table below details all the commands currently supported by the GodFather malware, outlining\r\ntheir purpose and enabling a clearer understanding of its capabilities.\r\nCommand  Description\r\nhttps://zimperium.com/blog/your-mobile-app-their-playground-the-dark-side-of-the-virtualization\r\nPage 13 of 20\n\nsetdata Sets the value of position X and Y \r\nbacked Takes the user to the previous screen\r\nhome Takes the user to home screen\r\nrecents Take the user to the recent screen\r\nscrollforwad Scrolls the page forward\r\nscrollback Scrolls the page backward\r\nopencontrol Perform gestures on the target app\r\nsetpattern Receives value from the server and saves it to “pc” variable\r\nscreenlight Manges the brightness on the screen\r\nsl2 Setting WakeLock with screen wake-up and stores it so it can be manually released later\r\nsl3 uses a basic CPU-only WakeLock without storing or releasing it\r\nautopattern\r\nThe value received using “setpattern” command is used to insert on the device screen using\r\nthe accessibility service.\r\ncsn Set the timer to initiate the WebSocket connection\r\nswpfull Perform full swipe operation\r\nhttps://zimperium.com/blog/your-mobile-app-their-playground-the-dark-side-of-the-virtualization\r\nPage 14 of 20\n\nupswp Perform swipe up\r\ndownswp Perform swipe down\r\nleftswp Perform swipe left\r\nrightswp Perform swipe right\r\nopnap Opens an application depending on the package name received from the server\r\nblackscreen Turns the screen black \r\nsunblack Displays a fake update overlay with  “Güncelleme kuruluyor..”  \r\nblackoffscreen Turns off the black screen\r\ngetblck gets the current battery level (as a percentage)\r\ngif Loads a gif to enable accessibility services\r\nsetDuration Sets a duration of 500 ms \r\nsetaDuration Sets a duration of 1500 ms used in some swipe gestures on the screen\r\nopnsttngs Opens setting app\r\nopnsound Opens sound setting\r\nopnmsc opens the notification settings screen for the current default SMS app \r\nhttps://zimperium.com/blog/your-mobile-app-their-playground-the-dark-side-of-the-virtualization\r\nPage 15 of 20\n\nopnpckg Opens app notification settings depending on the package name received from server\r\nphonelock Shows lock overlay depending on the pin/password/pattern\r\ndownapp Opens the browser on the Store's page of the legit application\r\nupScroll Performs upward scroll\r\ndownScroll Performs downward scroll\r\ndistru\r\nStores a list of targeted app package names in internal storage for later use in accessibility-triggered app blocking\r\nnotifiopen Opens a notification drawer\r\nTable 2: List of commands used by GodFather\r\nClassical Overlay Approach\r\nBeyond its advanced virtualization techniques, the GodFather malware also continues to employ traditional\r\noverlay attacks, placing deceptive screens directly over legitimate applications (Fig. 21). This dual approach\r\nhighlights the threat actors' remarkable adaptability in their methods. Investigations have revealed approximately\r\n484 targeted applications, with the specific targets being received from the C2 server in a Base64-encoded\r\nformat.\r\nhttps://zimperium.com/blog/your-mobile-app-their-playground-the-dark-side-of-the-virtualization\r\nPage 16 of 20\n\nFig. 21: Traditional overlay received from server \r\nList of Targeted Apps\r\nThe list of applications represents a significant and widespread targeting effort (hundreds of popular applications),\r\ncompromising major applications used by hundreds of millions of people globally. The targets can be categorized\r\ninto several key verticals:\r\nGlobal Payments, E-commerce, and Services\r\nThe campaign targets top-tier global brands that are household names in digital commerce and services. This\r\nincludes leading digital payment platforms with hundreds of millions of active users and billions of downloads, as\r\nwell as the world's most popular online shopping apps. The list also extends to major online auction sites, widely-used ride-sharing and food delivery services, and top-tier media streaming platforms, indicating a broad effort to\r\ncapture credentials across a wide swath of daily digital life.\r\nGlobal Social Media and Communication\r\nThe malware targets the world's most popular communication platforms. This includes the leading encrypted\r\nmessaging service with over five billion downloads, as well as the dominant social media messaging and photo-sharing apps, each with billions of users. Compromising these platforms gives threat actors access to a massive\r\nand deeply personal set of user data.\r\nFinancial and Banking Applications (Global)\r\nhttps://zimperium.com/blog/your-mobile-app-their-playground-the-dark-side-of-the-virtualization\r\nPage 17 of 20\n\nThe targeting is exceptionally comprehensive in the banking sector, covering major financial institutions across\r\nNorth America, Europe, and Turkey. In the United States, the list includes nearly every major national bank,\r\nprominent investment and brokerage firms, and popular peer-to-peer payment apps. In the United Kingdom and\r\nCanada, the largest and most widely used retail and commercial banking applications are targeted. The campaign\r\nis also extensive across Europe, with major banks in Germany, Spain, France, and Italy included in the target list.\r\nCryptocurrency Exchanges and Wallets\r\nThis is one of the most exhaustive target categories, highlighting a clear focus on stealing digital assets. The\r\nmalware targets over 100 distinct cryptocurrency applications. This includes the world's largest and most popular\r\ncrypto exchanges, each serving tens of millions of users. The list also includes dozens of the most widely used\r\nsoftware and mobile wallets for storing digital assets, as well as the official companion apps for leading hardware\r\nwallets. This widespread effort indicates a strategic goal to compromise users across the entire crypto ecosystem,\r\nfrom casual investors to seasoned traders.\r\nMITRE ATT\u0026CK Techniques\r\nTo help our customers and the industry understand the impact of this malware, Zimperium has compiled the\r\nfollowing table containing the MITRE Tactics and Techniques as reference. \r\nTactic ID Name Description\r\nInitial Access T1660 Phishing\r\nAdverseries host phishing sites to download\r\nmalicious applications\r\nPersistence T1603 Scheduled Task/Job Uses timer to initiate WebSocket connection\r\nProcess\r\nInjection\r\nT1631 Process Injection\r\nGodfather has injected malicious code and a\r\nhooking framework through a virtualization\r\nsolution, i.e. Virtualization Solution, into the\r\nprocess of the hosted application\r\nDefense\r\nEvasion \r\nT1655.001\r\nMasquerading: Match\r\nLegitimate Name or\r\nLocation\r\nMalware pretending to be a genuine Music\r\napplication\r\nhttps://zimperium.com/blog/your-mobile-app-their-playground-the-dark-side-of-the-virtualization\r\nPage 18 of 20\n\nT1670 Virtualization Solution\r\nGodfather uses Virtualization solution to place\r\noverlay on top of banking applications\r\n  T1617 Hooking\r\nGodFather uses Hooking framework in variety of\r\nways, including returning false information to\r\ndetection mechanisms \r\n  T1516 Input Injection\r\nMalware can mimic user interaction, perform\r\nclicks and various gestures, and input data\r\n  T1406.002\r\nObfuscated Files or\r\nInformation: Software\r\nPacking\r\nThe malware is obfuscated and uses a  zip\r\nmanipulation technique \r\nCredential\r\nAccess\r\nT1417.001\r\nInput Capture:\r\nKeylogging\r\nIt has a keylogger feature\r\nDiscovery T1418 Software Discovery\r\nMalware collects installed application package\r\nlist\r\n  T1426\r\nSystem Information\r\nDiscovery \r\nThe malware collects basic device information.\r\nCollection T1417.001\r\nInput Capture:\r\nKeylogging\r\nMalware can capture keystrokes\r\nCommand\r\nand Control\r\nT1481.001\r\nWeb Service: Dead\r\nDrop Resolver\r\nMalware communicates with Telegram to fetch\r\nC\u0026C server\r\nExfiltration T1646\r\nExfiltration Over C2\r\nChannel\r\nSending exfiltrated data over C\u0026C server\r\nhttps://zimperium.com/blog/your-mobile-app-their-playground-the-dark-side-of-the-virtualization\r\nPage 19 of 20\n\nImpact T1516 Input Injection\r\nIt displays inject payloads like pattern lock and\r\nmimics banking apps login screen through\r\noverlay and steal credentials.\r\nIOCs\r\nThe list of IOC’s can be found here GodFather IOC's.\r\nSource: https://zimperium.com/blog/your-mobile-app-their-playground-the-dark-side-of-the-virtualization\r\nhttps://zimperium.com/blog/your-mobile-app-their-playground-the-dark-side-of-the-virtualization\r\nPage 20 of 20",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://zimperium.com/blog/your-mobile-app-their-playground-the-dark-side-of-the-virtualization"
	],
	"report_names": [
		"your-mobile-app-their-playground-the-dark-side-of-the-virtualization"
	],
	"threat_actors": [],
	"ts_created_at": 1775434686,
	"ts_updated_at": 1775791234,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d78e749790fe521114ae301ec9e459e205d91db7.pdf",
		"text": "https://archive.orkl.eu/d78e749790fe521114ae301ec9e459e205d91db7.txt",
		"img": "https://archive.orkl.eu/d78e749790fe521114ae301ec9e459e205d91db7.jpg"
	}
}