Recently, security researchers discovered a new Android banking trojan, Vultur, which is more advanced than other Android banking trojans. Read on to know more…
Recently, security researchers discovered a new Android banking trojan that records everything that happens on your phone. According to Netherlands based security firm ThreatFabric, the Android banking trojan dubbed ‘Vultur’ manages to effortlessly obtain your login information through screen capturing and keylogging.
According to the researchers, the Vultur malware is installed on Android phones via a dropper framework dubbed “Brundilha,” which appears in the Google Play Store as fitness apps and 2FA authenticators.
Vultur is the first Android banking trojan discovered by ThreatFabric that employs both screen recording and keylogging as its primary strategy to get access to a user’s login credentials. Other Android banking trojans use the standard HTML overlay strategy, which takes longer time and requires more effort to steal crucial data.
The Vultur malware was discovered in at least two dropper apps, one of which had over 5,000 downloads on the Google Play Store. The number of potential victims is estimated to be in the thousands, according to ThreatFabric. This malware primarily targeted Italian, Australian, and Spanish banking institutions. Several instances of keylogging have been discovered in social networking apps including TikTok, Facebook, and WhatsApp. Crypto wallets were also targeted, according to the report.
Working Mechanism
On Android based smartphones, Vultur relies on Accessibility Services to function. It screen records everything that happens on the victim’s phone using VNC (Virtual Network Computing), a software that allows you to remotely control another computer. It can also detect when the victim is using an app from the list of targeted apps, allowing the screen recording to begin. According to ThreatFabric, the notification panel will indicate “Projection Guard” under the casting symbol when the screen recording is in progress.
ThreatFabric reported that “Vultur is able to monitor applications that are launched and start screen recording/keylogging once targeted application is launched,”
According to the report, “Vultur uses droppers posing as some additional tools, like MFA authenticators, located in official Google Play Store as a main distribution way, therefore, it is hard for endusers to distinguish malicious applications. Once installed, Vultur will hide its icon and request Accessibility Service privileges to perform its malicious activity. Being provided with these privileges, Vultur also activates self-defensing mechanism that makes it hard to uninstall it: if victim tries to uninstall trojan or disable Accessibility Service privileges, Vultur will close Android Settings menu to prevent it.”
Vultur has a new way to stealing login credentials than previous Android banking trojans. In most situations, the conventional Android banking trojan deceives victims into entering their credentials in what appears to be a legitimate banking app, allowing the attackers access. Differing from other malware, Vultur employs screen recording to quickly obtain login credentials without the need for any other tricky methods.
Mitigation
When Accessibility Services alerts users, they can deny access to prevent the malware from taking their data. A casting icon that appears when users are not casting something can also be used to identify the malware. Installing antivirus software for Android is also recommended by ThreatFabric.
The suggestions offered by ThreatFabric to get out of the grip of Vultur malware is to “One, boot the phone into safe mode, preventing the malware from running” and then try and uninstall the app. “Two, use ADB (Android Debug Bridge) to connect to the device via USB and run the command {code}adb uninstall <malware_package_name>{code}. Or perform a factory reset.”
A Brief Conclusion
The finding of this Android based dropper app has shown that Android banking trojans have improved significantly, making it easier for hackers to obtain login credentials. Mobile banking malware, according to ThreatFabric, will only grow and become more sophisticated in the future.