(Washington, D.C., June 20, 2025) — Following U.S.

As malware evolves to be more sophisticated, seeing should not always equal believing. A new iteration of the “Godfather” malware found on Android is hijacking legitimate banking apps, making it increasingly difficult for users (and on-device protections) to detect.

An early version of Godfather utilized screen overlay attacks, which placed fraudulent HTML login screens on top of legitimate banking and crypto exchange apps, tricking users into entering credentials for their financial accounts. It was first detected on Android in 2021 and was estimated to target several hundred apps across more than a dozen countries.

The new threat, uncovered by security firm Zimperium, is Godfather’s virtualization, which allows the malware to create a complete virtual environment on your device rather than simply spoofing a login screen. It does so by installing a malicious “host” application, which scans for targeted financial apps and then downloads copies that can run in its virtual sandbox.

If you open one of those targeted apps, Godfather redirects you to the virtual version. You’ll see the real banking interface, but everything that happens within it can be intercepted and manipulated in real time. As Bleeping Computer notes, this includes harvesting account credentials, passwords, PINs, and capture responses from the bank’s back end. Further, the malware can control your device remotely, including initiating transfers and payments inside the banking or crypto app, even when you’re not using it.

This threat is severe not only because it is difficult for users to detect visually, but also because it can evade on-device security checks like root detection. Android protections see only the host app’s activity while the malware’s remains hidden.

How to protect your device from Godfather

According to Zimperium, while the current campaign affects nearly 500 apps, it has primarily focused on banks in Turkey. That said, it could easily spread to other countries, as the previous version did.

To protect against Godfather and any other malware targeting your Android device, download and install apps only from trusted sources, like the Google Play Store. You can change permission settings for unknown sources under Settings > Apps > Special app access > Install unknown apps. You should ensure Google Play Protect, which scans apps for malware, is enabled, and that your device and apps are kept up to date. Now would also be a good time to audit the apps you have on your device and delete any you don’t use or don’t need.

Since Godfather’s attack mechanism is so sophisticated, you should also follow other basic best practices for avoiding malware in the first place. Never open attachments or click links in emails, texts, or social media posts, and avoid clicking ads, which are used to spread malware.

Passwords are a staple of both the internet and computing at large. Even as new authentication protocols have emerged—from passkeys to biometrics—most of us use passwords to log into our daily accounts and websites using a code made up of letters, numbers, and symbols.

The problem is, the password was really a product of its time, and doesn’t really belong in the modern digital age. Cybersecurity threats have evolved so far beyond the capability of a password to protect from them that they have actually become a liability—even when you follow best practices for creating them and keeping them secure. Case in point: News of the latest data breach, one of the largest ever, in which researchers discovered not millions, but billions of passwords floating around on the web.

Sixteen billion passwords leaked on the internet

Cybernews broke the story Friday: This year, the outlet’s researchers found 30 datasets exposed on the internet, each containing anywhere from “tens of millions to over 3.5 billion records.” According to the researchers, they’ve found a collective 16 billion passwords leaked on the web.

What’s more, these passwords are all newly leaked. None of them have been reported in previous data breaches, save for roughly 180 million passwords found in an unprotected database back in May. The researchers say they continue find new “massive” datasets every few weeks, so the discoveries show no signs of slowing.

According to researchers, the way the data was structured strongly suggests the leaked credentials were stolen via infostealers, a type of malware that scrapes your devices for just this type of information. Bad actors were able to obtain the login details for major accounts, including Apple, Google, GitHub, Facebook, Telegram, and government services. As Cybernews makes clear, this doesn’t mean those companies suffered data breaches themselves; rather, the database contained login URLs for these companies’ login pages that were scraped from individual devices, likely using malware.

Some credentials also contained additional data aside from usernames and passwords, including cookies and session tokens. That means it’s possible that this information could be used to bypass two-factor authentication (2FA) for certain accounts, especially those that do not reset cookies after you change your password.

If there’s a silver lining in this story, it’s the fact that the 16 billion passwords leaked do not represent 16 billion individual records; there is some overlap, though it’s not clear how much: While it’s safe to say that fewer than 16 billion individual accounts were affected by these breaches, it’s also tough to know the exact number.

What can bad actors do with this data?

First and foremost, if your accounts are only protected by a password, and you haven’t changed your password recently, a bad actor could use this leaked password database to access your account.

But the implications go beyond that. As previously stated, leaked cookies and session tokens could be used to break into accounts with weaker 2FA. If your account doesn’t reset cookies after you change your password, they might be able to trick the 2FA system into thinking they’ve provided the proper 2FA code or credential. They can also use this information in phishing schemes: Hackers can use your password to trigger a 2FA code generation. When the code arrives on your end, they can try to trick you into handing it over, potentially posing as the company behind the account in question. If and when you send the code, they’ll gain access your account.

Why it’s time to stop using passwords altogether

This level of sophisticated (and routine) data breach just wasn’t a thing back when the password came into popular use as the primary digital security tool. For years, experts in tech and cybersecurity have preached the importance of using a combination of strong and unique passwords, password manager tools, and 2FA to keep your accounts safe and secure. Those are all still important today, but when malware exists that can scrape your credentials directly from your devices, those tactics don’t seem so bulletproof anymore.

The fact is, a security system that relies on something that can be stolen isn’t a secure system in 2025. Things need to change—and luckily, they are.

Passkeys are much more secure

Going forward, it’s time to take passkeys much more seriously. Passkeys, unlike passwords, are not at risk of theft, nor can bad actors trick you into sending your passkey to them. The tech is tied to a device you personally own, like a smartphone, and locked behind strong authentication. Without a face scan, fingerprint scan, or PIN entry on said personal device, no one is getting into your account.

Passkeys combine with the best parts of both passwords and 2FA: They’re convenient, since you quickly authenticate yourself with your smartphone (like autofilling with a password manager), but they also require that personal device to be in your posession to access the account, similar to how you need a secondary authentication method to log in with 2FA.

More and more companies are starting to adopt passkeys as a form of authentication, including Apple, Google, Facebook, Microsoft, and X. If any of your accounts support passkeys, I strongly suggest you set them up. That way, when the next inevitable data breach does occur, you’ll be protected.

What to do for accounts that don’t accept passkeys

Of course, not all accounts can use passkeys right now. In those cases, you’ll need to shore up your password security as best you can.

First, make sure each of your accounts has a password that is strong and unique. That means something that cannot be easily guessed by either a human or a computer, as well as something you haven’t used for any other account before. While you don’t need to change your passwords as frequently as traditional security advice has suggested, given the news, you might want to refresh your passwords, just in case.

It’s impossible to remember all those strong and unique passwords, which is where a good password manager comes in. These services use strong encryption to protect your database of passwords—all you need to remember is the one strong and unique password you use to access the password manager, and the app can remember the rest. Some of these services come with other tools as well, like authenticator code generation, so they’re well worth the investment. PCMag has a list of the best password managers for 2025, if you’re looking for hand-tested recommendations.

Speaking of authenticators, set up 2FA for every account that supports it—which, at this time, should be most of them. While passkeys are the strongest form of authentication, 2FA still beefs up your security in the event your password is leaked. Without the code or an authenticator tool, like a security key, bad actors won’t be able to access your account, even with your password in hand.

Finally, with more websites and companies adding support for passkeys all the time (including, earlier this week, Facebook), keep watching your accounts for the option, and make the switch as soon as you can. Stay safe out there.

We may earn a commission from links on this page. Deal pricing and availability subject to change after time of publication.

We’re getting to that time of the year when every major retailer seems to have a huge sale leading up to the summer. Amazon’s Prime Day sale is the main event in the summer, which all the other retailers seem to revolve around. Best Buy is calling its Prime Day competition sale “Black Friday in July,” and it lasts nearly a week. Here is what you can expect.

When is Best Buy’s ‘Black Friday in July’ sale?

Best Buy’s summer sale will take place from July 7 through July 13. It also so happens to overlap Prime Day (likely not by coincidence), which runs from July 8 through 11. This is the first time that this sale will last a week—previously, it was three days long.

What other retailers are competing with Amazon’s Prime Day?

After Amazon’s Prime Day announcement, both Target and Best Buy announced theirs. Target is having Circle Week, which will run from July 6 through 12, and Best Buy is having its Black Friday in July sale. Walmart hasn’t made an official announcement yet, but it’s surely just a matter of time before it does.

Do you need to be a member to shop Best Buy’s sale?

Best Buy hasn’t released details on whether the sale will be exclusively for paying members, but I have reached out for more info and will update here. Based on its previous sales, it’s likely that anyone who is subscribed to Best Buy’s free membership will be able to participate.

What can I expect from Best Buy’s Black Friday in July sale?

There is no official list of deals from Best Buy yet, but in an email, it said shoppers can expect deals on TVs, laptops, headphones, video games, electric bikes, and “more.” It also said you’ll be able to get new deals every day during the sale available in stores, on its website, and in the Best Buy mobile app.