Account Takeover Fraud , Cybercrime , Cybercrime as-a-service

Researchers Uncover New Android Banking Malware

ThreatFabric Says Vultur Uses Screen Recording to Target Victims
Researchers Uncover New Android Banking Malware
Vultur is spread disguised as a legitimate app in Google Play Store. (Source: Google Play)

A newly uncovered banking Trojan dubbed Vultur is targeting Android users through screen recording to capture the victims' banking credentials, a new report by security firm ThreatFabric says.

See Also: OnDemand | Password Management: Securing Hybrid Work for the Long Haul

The latest campaign, which has been active since September 2020, is being spread by malicious actors as a legitimate app in Google Play Store. The researchers say Vultur's attack techniques make it unique.

"The usual banking Trojan MO heavily relies on abusing the overlay mechanic to trick victims into revealing their passwords and other important private information," the report notes. "In an overlay attack, users type their credentials in what they think is a legitimate banking app, effectively giving them to a page controlled by the attacker. Vultur, on the other hand, uses a less technically flexible yet very effective technique: screen recording."

The ThreatFabric report says the malware is actively targeting banking app users across Italy, Australia and Spain.

Attack Tactics

Like most Android malware, Vultur begins its compromise by exploiting Android Accessibility Services designed to customize user interactions with their device. To exploit this feature, the malware first disguises itself as a legitimate two-factor authentication app or as a fitness app.

Once downloaded, the malware hides its app icon and then proceeds to exploit the Accessibility Services to obtain all the required permissions. This in turn helps Vultur to perform keylogging and prevent users from deleting the app from the device.

The Trojan then performs screen recording of the device's Virtual Network Computing, which allows remote access to the device's screen. "The biggest threat that Vultur offers is its screen recording capability. The Trojan uses Accessibility Services to understand what application is in the foreground. If the application is part of the list of targets, it will initiate a screen recording session," the report notes.

The malware then exfiltrates credentials data from a set of short-listed apps and sends it to its command-and-control servers.

Links to Other Strains

ThreatFabric researchers say an analysis of the malware infrastructure revealed that Vultur is potentially linked to a malware dropper called Brunhilda. In December 2020, Brunhilda was tied to a banking malware campaign that distributed the Trojan as legitimate banking apps, according to a report by security firm Prodaft.

The malware then dropped Alien malware on the victim's device, which then snooped on any newly downloaded apps.

Targeting Android

While Google has put more money and effort into securing its app store, fraudsters and hackers keep changing their tactics to get malicious apps posted on the platform.

During July, security firm Trend Micro uncovered a campaign led by hack-for-hire firms that deployed Android malware to target visitors to Syria's e-government website as part of its latest cyberespionage campaign (see: Mercenary Hacking Group Deploys Android Malware).

Earlier in July, security firm Cybereason found another campaign in which hackers deployed an updated version of the FakeSpy infostealer to target Android devices using SMS phishing messages (see: FakeSpy Android Malware Disguised as Postal Service Messages).


About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is senior correspondent for Information Security Media Group's global news desk. She has previously worked with IDG and other publications where she reported on developments in technology, minority rights and education.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.eu, you agree to our use of cookies.