This report is about ‘Godfather Android Malware’.
As ThreatMon, we strive to prevent potential malicious activities by informing individuals, companies, firms, institutions, and organizations about current threats through our reports, posts, and analyses.
Godfather resurfaced in 2025 as a highly modular Android banking trojan that embeds full virtualization toolkits (VirtualApp, Xposed) to load genuine banking and crypto apps inside an invisible container. While the user interacts with the real app interface, Godfather intercepts credentials, one-time passwords and session tokens, and can even automate UI interactions to execute unauthorized transfers in real time.
Since mid-2025, more than 500 distinct banking, cryptocurrency and e-commerce applications across Europe, Latin America, Southeast Asia and especially Türkiye have been targeted, with infections delivered via phishing SMS campaigns, fake update notifications on third-party app stores and malicious payloads sold under a Malware-as-a-Service model. Attackers leverage Android’s accessibility APIs and dynamic screen overlays to harvest SMS- and Authenticator-based OTPs, while encrypted C2 channels (including Telegram bots) provide resilient command delivery and data exfiltration.
Evasion is enhanced by on-device unpacking, Java-layer virtualization and per-app hook deployment that sidestep both signature-based detections and sandbox emulators. The rise of Godfather underscores a shift toward virtualization-powered mobile threats: defenders must deploy behavior-based monitoring, enforce app integrity checks, strengthen multi-factor authentication and apply targeted YARA rules for virtualization artifacts to detect and neutralize this evolving threat.
We see the full picture of the evolving cyber threat landscape thanks to unique tools for monitoring the infrastructure used by cybercriminals and data from battlefields:
