The technique allows attackers to run the real app inside a malicious sandbox, capture every tap and credential in real time, and bypass traditional overlay-based defences.
Perfect deception
Users interact with the genuine app, making visual detection impossible. This results in full account takeover and, according to Zimperium, attackers can then harvest usernames, passwords, device PINs—even lock-screen credentials.
Rapid industry spillover
Zimperium found that although the latest wave focuses on a dozen Turkish financial institutions, the company suggests that any sector that relies on mobile apps—finance, retail, healthcare, government—faces identical risk.
Evasive by design
Godfather layers ZIP-format tampering, accessibility abuse, and Xposed-based hooking to blind static scanners and root-detection checks.
“Mobile attackers are moving beyond simple overlays; virtualisation gives them unrestricted, live access inside trusted apps,” said Fernando Ortega, Senior Security Researcher, Zimperium Zlabs. “Enterprises need on-device, behaviour-based detection and runtime app protection to stay ahead of this shift toward a mobile-first attack strategy.”
Global
