Skip to content Skip to footer

Vultur Android Banking Trojan Resurfaces with Enhanced Features

The Android banking trojan, Vultur, has resurfaced with new features and improved anti-analysis and detection evasion techniques. Its operators can now remotely interact with a mobile device and harvest sensitive data. The has also started masquerading more of its malicious activity by encrypting its C2 communication using multiple encrypted payloads decrypted on the fly. It uses the guise of legitimate applications to carry out its malicious actions.

NCC Group researcher Joshua Kamp, in a report published last week, said, “Vultur has also started masquerading more of its malicious activity by encrypting its C2 communication, using multiple encrypted payloads that are decrypted on the fly, and using the guise of legitimate applications to carry out its malicious actions.”

Vultur was first disclosed in early 2021. can leverage Android's accessibility services APIs to execute malicious actions. The malware has been observed to be distributed via trojanized dropper on the Google Play Store. These dropper masquerade as authenticator and productivity to trick unwitting users into installing them. They are offered as part of a dropper-as-a-service (DaaS) operation called Brunhilda.

Other attack chains, as observed by NCC Group, involve the droppers being spread using a combination of SMS messages and phone calls – a technique called telephone-oriented attack delivery (TOAD) – to serve an updated version of the malware ultimately. “The first SMS message guides the victim to a phone call,” Kamp said. When the victim calls the number, the fraudster provides the victim with a second SMS that includes the link to the dropper: a modified version of the [legitimate] McAfee Security app.

The initial SMS message aims to induce a false sense of urgency by instructing the recipients to call a number to authorize a non-existent transaction that involves a large sum of money. Upon installation, the malicious dropper executes three related payloads (two APKs and one DEX file) that register the bot with the C2 server, obtain accessibility services permissions for remote access via AlphaVNC and ngrok, and run commands fetched from the C2 server.

One of the prominent additions to Vultur is the ability to remotely interact with the infected device, including carrying out clicks, scrolls, and swipes through Android's accessibility services. It can also download, upload, delete, install, and find files. Additionally, the malware is equipped to prevent the victims from interacting with a predefined list of , display custom notifications in the status bar, and even disable Keyguard to bypass lock screen security measures.

Vultur's recent developments have shown a shift in focus towards maximizing remote control over infected devices. Kamp said, “With the capability to issue commands for scrolling, swipe gestures, clicks, volume control, blocking from running, and even incorporating file manager functionality, it is clear that the primary objective is to gain total control over compromised devices.”

The development comes as Team Cymru revealed the Octo (aka Coper) Android banking trojan's transition to a malware-as-a-service operation, offering its services to other threat actors for conducting information theft. “The malware offers a variety of advanced features, including keylogging, interception of SMS messages and push notifications, and control over the device's screen,” the company said. It employs various injects to steal sensitive information, such as passwords and login credentials, by displaying fake screens or overlays. Additionally, it utilizes VNC (Virtual Network Computing) for screen sharing and remote access.

In conclusion, being cautious when installing on your mobile devices is crucial. We advise downloading only from trusted sources and avoiding that appear suspicious or require excessive permissions. Updating your mobile operating system and installing an effective security solution is also essential.

Leave a comment

Newsletter Signup
Address

The Grid —
The Matrix Has Me
Big Bear Lake, CA 92315

01010011 01111001 01110011 01110100 01100101 01101101 00100000
01000110 01100001 01101001 01101100 01110101 01110010 01100101

I have photographic memory! It's a curse!Nikon

Deitasoft © 2024. All Rights Reserved.