Cybersecurity researchers at Zimperium have sounded the alarm about a new and improved variant of the infamous “Godfather” banking malware. Originally known for creating invisible overlays atop banking apps to steal credentials, this upgraded version now launches fake virtualized apps within a sandbox environment. Users may believe they are accessing their legitimate mobile banking app — while in reality, they are interacting with a malware-controlled clone designed to harvest data.
How It Works: Virtual Banking Apps Inside Your Phone
The latest Godfather variant no longer needs extensive permissions to function. Instead of requesting access or raising red flags, it silently activates a fake version of the targeted banking app. When users open their banking apps, the malware hijacks the session, recording credentials, PIN codes, and even unlock patterns. It can also remotely control the device, executing wire transfers during off-hours — often when the victim is asleep.
FCRF x CERT-In Roll Out National Cyber Crisis Management Course to Prepare India’s Digital Defenders
Banking While You Sleep: Remote Transfers and Data Theft
What makes this version even more dangerous is its ability to perform transactions without alerting the user. The malware can conduct full banking operations once it has login access — including transferring funds, reading two-factor authentication codes, and bypassing app protections. Cybersecurity experts warn that the malware is currently targeting Turkish Android users but may expand globally without warning.
A Global Threat on the Horizon
Zimperium’s report warns that Godfather’s capabilities make it likely to spread beyond Turkey. Given how seamlessly it integrates with mobile infrastructure, users in other regions — particularly in the West — are at risk. The virtualized sandbox model allows the malware to evade detection and bypass traditional security measures. As mobile banking becomes more common, the need for stronger device-level security and user vigilance is greater than ever.