Protect Against Evolving Malware Attacks with Threat Monitoring

Historically, malware has posed a serious threat to mobile applications, ranging from targeting financial services applications (stealing customers’ credentials, credit card, and wallet data) or utilities like two-factor authentication applications (stealing OTP codes for account takeover). The trend is usually that common malware takes advantage of certain mobile OS features, accessibility services, and permissions in order to perform their initial infection and gain control over the features they target. But malware is continuously evolving. Threat actors come up with new and creative ways to both bypass known countermeasures already deployed against said common attacks and achieve greater privileges over the infected device or target application.

In this post, we’ll explore how mobile app security teams can stay ahead of these evolving attacks through monitoring and early detection. We’ll also discuss various attack techniques, some of which, while individually known to the mobile security industry, pose significant risks when combined in advanced malware campaigns. Then, we will show how mobile app developers can help security teams by implementing a multi-layered mobile app defense strategy.

Monitor attacks as they happen

When a malware campaign begins, it’s only a matter of time before the phishing work and fraud start. Having advanced analytics that showcase malware attacks in real-time, including what security measures threat actors attempt to circumvent from an application, is crucial to understand the attack and any remediations that would be necessary before it becomes widespread. This kind of data can be easily collected by utilizing advanced mobile app threat monitoring capabilities in your application.

For example, in April 2025, ThreatCast observed a surge in malicious activity across certain countries, originating from specific financial mobile applications. During this spike, ThreatCast detected hook mechanisms targeting protected apps, from impacting several hundred to several thousand of users per day. This activity occurred alongside the use of accessibility services and a potential OS integrity failure affecting specific devices and OS versions.

The graph below illustrates this surge in hook detection events in April, clearly linking the activity to the malware campaign.

When a malware campaign begins to spread, and access to a sample isn’t immediately available, attributing specific behavior to a particular malware strand can be challenging. Despite this, ThreatCast users were still able to know, from the moment the attack started, what was happening. Even though ThreatCast users were unsure of the specific malware strand performing the attack, the techniques that were being used could be identified. Since ThreatCast can also link a given device’s activity to a user’s account, app developers were able to inform their users about the attack and temporarily limit their accounts as necessary if they were infected by the malware. App developers were also able to collect further information about the attack from these users, such as in which context the malware sideloading/phishing took place. This information is crucial in order to both understand and stop the malware campaign as soon as possible.

Following an internal analysis, Guardsquare was able to correlate the spike in malicious activity to a new variant of the Godfather malware. Godfather is just one example of recent attacks in which malware relies on diversifying its techniques in an attempt to extract the maximum amount of data from its victims while attempting to remain undetected. When first reported by Cyble back in November 2024, Godfather was already able to target 500 banks and crypto wallet applications with a classical accessibility and permission-based attack, along with the simulation of user actions on-screen. In this new variant, the malware gained the capability to create virtualized copies of bank applications and steal user credentials from certain targeted banks in Turkey.

It should be noted that Guardsquare customers have been protected from this new variant of Godfather since before the campaign started, thanks to our layered defenses and advanced detection capabilities, which have been present in our solutions for over two years.

Just like in the case of Godfather, when malware evolves and gains new attack capabilities, ThreatCast users are not only able to know whether their application is being attacked, but by correlating the amount and types of events, they are able to know when the attack is happening, when it started, which users are being targeted, and with what kinds of attacks.

Beyond monitoring: Implementing detections for evolving malware attack techniques

As we’ve seen with Godfather, mobile malware is not stagnant; it continues to change how it attacks high-value operations in applications. Monitoring malware trends can help developers understand the ways in which their applications need to be protected in order to achieve their desired level of protection and stay ahead of attacks. But what’s needed to get to that level of protection?

Let’s build on the example of the recent Godfather variant to examine why evolving malware strains like Godfather succeed in extracting user data from unprotected or insufficiently protected mobile apps:

• Virtualized copies of targeted apps: Godfather can make virtualized copies of the mobile applications it targets, running in a malware-controlled virtual environment. Within this virtual environment, the malware can control all variables, allowing it to manipulate Android Java APIs or hook into the Android Binder without root or additional privileges. This enables data manipulation and helps hide the malware’s traces by manipulating Android’s accessibility APIs.
• Targeted hooks: Godfather relies on open-source hook frameworks like PineXposed, working at the application level without tampering with the device or application binary as it is loaded into memory. This enables the malware to disable security features or intercept network communication libraries like OkHttp.
• Syscall instrumentation: To further hide its traces, Godfather places hooks that instrument and manipulates syscalls executed by the target app process using seccomp filters.

While common malware may rely on accessibility and permission-based attacks, identifying these techniques alone is insufficient. Malware, like Godfather, combines multiple techniques, creating complex, multi-layered attacks that can bypass traditional defenses.

Another example we have recently covered is when malware relies on statically patching an application’s anti-tampering measures along with the checks the application performs to look for enabled accessibility services. In this scenario, applications are unaware they are being attacked, unless proper anti-tampering (with a sufficient number of random injection points, indistinguishable from the application’s own code) and threat monitoring are in place.

The key takeaway here is that while many of these attacks may not be new to the mobile app security industry, detecting and identifying each of them individually as well as implementing robust security measures is crucial to preventing complex attacks. This is what's referred to as a multi-layered approach.

Detecting root, app tampering, and more with Guardsquare’s RASP

While the aforementioned attacks may not be unknown to the mobile app security industry, detecting and identifying each of them individually is what helps prevent multiple different attack techniques from being stacked and complex attacks from being built upon them. This, too, is part of a multi-layered approach.

Detecting rooting, app tampering, or even the use of accessibility services would not have been enough to detect the presence of evolving mobile malware strands

This is where Guardsquare’s unique runtime application self protection (RASP) solution capabilities comes into play. Guardsquare’s RASP was designed from the ground up to be agnostic of malware strands. For this reason, it’s able to detect a given type of attack, regardless of whether it’s being used in conjunction with more attacks, as seen with Godfather. Guardsquare’s approach to protection is based on achieving the best outcomes by combining these layered security features.

As previously stated, Guardsquare has been able to detect and protect its customers from the latest Godfather variants of the malware since before it started spreading by identifying the hooks the malware places against the target application, such as through seccomp filters. Guardsquare has had these detections for over two years.

With Guardsquare, app developers are able to detect the use of these different techniques and make decisions about whether to crash the mobile application, invoke a custom callback as well as optionally report these threats to our threat monitoring service.

Going further with app attestation

As we have seen, proactive monitoring and a solid RASP defense are necessary in order to stay ahead of attacks. But what if there was a way to complement these and gain insights about whether the device and application are legitimate? Or if you could adjust and improve your detection capabilities on the go with server-side changes, without needing to re-release your application?

A way in which you can complement ThreatCast data is with Guardsquare’s App Attestation. For example, you can obtain attestation tokens which are linked to specific instances of a mobile application running on a device. With them, you can get threat information directly at the specific points in time you choose, such as during user login, where you can link users and tokens. This allows for correlating possible attacks with specific user accounts.

Threat data combined with App Attestation results can then be turned into actionable recommendations. If you consider that specific devices do not meet your desired criteria based on App Attestation results, these can be blocked from accessing your API when used in combination with server-side attestation, or trigger a degraded user experience with enhanced mitigations.

In some cases, App Attestation can perform additional detections without having to re-release your application. Policies can also be reconfigured dynamically, allowing you to adjust RASP checks, security controls, and reaction mechanisms in real-time.

What this means for your business

Threat are evolving fast, as shown by the surge of Godfather malware variants, but with visibility into real-world attack behaviour, the ability to detect suspicious activities in real-time, and mobile application protection that adapt without disrupting your release cycle, Guardsquare’s unique mobile app threat intelligence data, collected across hundreds of millions of daily active devices, empowers security teams to proactively defend their mobile apps from malware, reverse engineering, and tampering threats. To learn more, connect with an expert today.