Security researchers at Zimperium zLabs, a mobile security software provider, have uncovered a sophisticated evolution of the "GodFather" banking malware, which employs an advanced on-device virtualization technique to hijack legitimate mobile applications, with a significant focus on banking and cryptocurrency apps.
This malware is substantially more dangerous than many existing mobile device threats, according to
Which banking and crypto apps are being targeted
While the researchers did not publish the complete list of targeted applications, they said that, in the U.S., the malware targets "nearly every major national bank," according to the analysis, as well as "prominent investment and brokerage firms" and "popular peer-to-peer payment apps."
The research group said it also targets major financial institutions across Europe, especially in Turkey.
For U.S. banks and credit unions, the emergence of advanced malware like GodFather underscores the importance of robust mobile security strategies. While the newest attack found by zLabs impacts the Android operating system, the evolving threat landscape and regulatory shifts that could open up platforms traditionally considered more "closed" may introduce new attack vectors.
What is GodFather malware and why is it dangerous?
The GodFather malware operates by installing a malicious "host" application on a victim's device that contains a virtualization framework. This host then downloads and runs a copy of the actual targeted banking or cryptocurrency application within its controlled sandbox environment.
When a user launches their legitimate app, the malware seamlessly redirects them to this virtualized instance, where it monitors and controls every action, tap and data entry in real time.
This technique provides attackers with "total visibility into the application's processes," according to zLabs, allowing them to intercept credentials and sensitive data instantaneously.
Because users interact with the real, unaltered application, the attack achieves "perfect deception," making it nearly impossible to detect through visual inspection, according to the analysis.
Beyond its virtualization capabilities, GodFather also uses some traditional overlay attacks, which place deceptive screens over legitimate applications.
Android vs. iOS: A security reality check for banks
The security measures implemented by mobile operating systems like Android and iOS differ significantly, impacting their susceptibility to such threats.
Android's open-source nature allows for greater customization and flexibility, but also exposes it to a wider range of security vulnerabilities, which have
Google Play Protect, Google's on-device protection service, scans devices daily for potentially harmful applications, or PHAs, regardless of where they were downloaded. It can automatically disable or remove severe PHAs and offers real-time checks for apps installed from outside Google Play.
However, automated malware detection such as Google Play Protect is often limited by what vulnerabilities are publicly known and cannot detect zero-day vulnerabilities that have not been disclosed.
Developers — such as banks building digital banking apps — can also use the Play Integrity API to verify if their app binary is genuine and running on a genuine Android-powered device.
Despite these measures, Android's fragmentation, where updates are often stalled by manufacturers, can increase the risk of security breaches.
Third-party app stores on Android "typically have insufficient review processes," which can lead to malware-laden applications, according to
Apple's iOS is known for its closed-source code and walled garden approach, which generally creates a stable and secure environment by only allowing vetted applications into the Apple App Store — though some malicious apps still make it through this review process.
Apple reviews "every single app and each app update," according to
This review process includes automated scans for known malware, human review of app descriptions and manual checks to ensure apps do not unnecessarily request access to sensitive data.
While generally secure, iOS is "not immune to security vulnerabilities," according to Astra. A potential security breach at Apple could affect all iOS devices, and the reliance on a single app store "amplifies the possibility of a single point of failure."
Researchers at Cybernews
How new regulations could open the door to more attacks
Both Apple and Google face increasing regulatory scrutiny in the U.S. and Europe concerning their control over app distribution and payment systems, which could reshape mobile security landscapes. In the U.S., Apple and Google face antitrust lawsuits from the Justice Department challenging their market control.
Proposed legislation, such as the "
Cammack's bill would also prohibit app store owners from requiring exclusive use of their in-app payment systems and prevent them from sanctioning developers for offering lower prices outside the marketplace — a major point of litigation on which Apple has been
The European Union has taken its own approach with the Digital Markets Act, or DMA, designating Apple and Google as so-called "gatekeepers" that are subject to clear rules around third-party app stores.
The DMA requires such gatekeepers to "allow third parties to inter-operate with the gatekeeper's own services" and "allow their business users to promote their offer and conclude contracts with their customers outside the gatekeeper's platform,"
The DMA also prohibits gatekeepers from "prevent[ing] users from un-installing any pre-installed software or app if they wish so," said the commission.
In response, Apple is
Additionally, iOS and iPadOS will provide an updated user experience for installing alternative marketplaces or apps from a developer's website. Apple previously argued that such measures would
