Image by Vitaly Gariev, from Unsplash
New Malware Turns Real Banking Apps Into Spy Tools
Reading time: 2 min
Last Updated: Jun 22, 2025
-
![Kiara Fabbri]()
-
![Sarah Frazier]()
Fact-Checked by Sarah Frazier Content Manager
Researchers warn that the GodFather banking malware has evolved, transforming trusted applications into tools for theft.
In a rush? Here are the quick facts:
- GodFather malware creates fake versions of real banking apps.
- It records every tap and keystroke in real-time.
- Uses virtualization to bypass visual detection and security.
Cybersecurity researchers at Zimperium zLabs discovered this advanced version of the malware, which uses virtualization to create deceptive copies of genuine applications, thus making user detection nearly impossible.
“This method marks a significant leap in mobile threat capabilities,” explained researchers Fernando Ortega and Vishnu Pratapagiri. Instead of simply showing a fake login screen like older malware, this version installs a host app that runs a virtual copy of your real banking or crypto app.
So when you open your banking app, you’re actually using a hijacked version that looks and behaves like the original, but every tap and password is being recorded.
The malware attacks applications from more than 500 companies, which include worldwide banks, crypto wallets, shopping, and messaging services. The malware specifically targets 12 Turkish banks, including Ziraat, Akbank, and ING Mobil. After installation, the malware can extract all user data, including PINs and passwords, together with messages and crypto wallet keys.
Worse still, it uses tricks to avoid detection. It manipulates Android ZIP files to fool security scans, hides malicious code in harmless-looking parts of the app, and abuses Android’s accessibility services to spy on users. “Ultimately, this virtualization technique erodes the fundamental trust between a user and their mobile applications,” researchers warned.
Infected devices under GodFather malware control allow hackers to perform device swipe actions, application taps, and screen lock password theft. The malware even sends fake pop-ups to users, which trick them into granting permissions without them realizing.
The researchers stress that mobile banking, and crypto users, need to download apps only from authorized sources while monitoring their applications for any abnormal behavior. Even a real app, they warn, might not be what it seems.
Previous Story
Latest articles 
