Vultur, Android banking malware, has been observed incorporating new technical features, which allow the malware operator to remotely communicate with the victim’s mobile device.
Additionally, Vultur has begun disguising more of its harmful behavior by encrypting its C2 communication, employing several payloads that are dynamically decrypted, and executing its malicious activities under the pretense of legitimate programs.
Vultur has capabilities like keylogging and screen interaction with the victim’s device, primarily targeting banking applications for remote control and keylogging.
ThreatFabric made the initial discovery of Vultur in late March 2021. In the past, Vultur exploited ngrok and AlphaVNC, two reputable software applications, to gain remote access to the VNC server that was operating on the victim’s device.
Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Try Trustifi Free Threat Scan with Sophisticated AI-Powered Email Protection .
Vultur was deployed using a dropper framework named Brunhilda, which hosts malicious apps on the Google Play Store.
“In a recent campaign, the Brunhilda dropper is spread in a hybrid attack using both SMS and a phone call”, Fox-IT shared with Cyber Security News.
“The first SMS message guides the victim to a phone call. When the victim calls the number, the fraudster provides the victim with a second SMS that includes the link to the dropper: a modified version of the McAfee Security app”.
New Technical Features Of Vultur
- Download, upload, delete, install, and find files;
- Control the infected device using Android Accessibility Services (sending commands to perform scrolls, swipe gestures, clicks, mute/unmute audio, and more);
- Prevent apps from running;
- Display a custom notification in the status bar;
- Disable Keyguard in order to bypass lock screen security measures.
Vultur has enhanced its methods for evading detection and anti-analysis by:
- Modifying legitimate apps (use of McAfee Security and Android Accessibility Suite package name);
- Using native code in order to decrypt payloads;
- Spreading malicious code over multiple payloads;
- Using AES encryption and Base64 encoding for its C2 communication.
The most interesting aspect is that the malware may use Android’s accessibility services to remotely connect with the compromised device.
Now, the malware operator can transmit commands to carry out moves such as swipes, clicks, and scrolling.
“The file manager feature includes the ability to download, upload, delete, install, and find files. This effectively grants the actor(s) with even more control over the infected device”, researchers said.
Blocking the victim from interacting with the device’s apps is another intriguing new capability. This functionality allows the malware operator to designate a list of applications that, upon detection as running on the device, should be pressed back on.
The Attack Chain
Using a hybrid attack consisting of two SMS messages and a phone call, the threat actors trick innocent individuals into installing malware.
Initially, the victim gets an SMS message telling them to phone a number in case they don’t approve a big-money transaction.
Although this transaction never happened, it gives the victim the impression that it has to happen immediately, which tricks them into acting.
During the phone call, a second SMS is sent to the victim instructing them to click on a link to install a trojanized version of the McAfee Security app.
This program is essentially a Brunhilda dropper, which appears harmless to the victim because it has features seen in the McAfee Security app.
Three Vultur-related payloads are decrypted and executed by this dropper, providing the threat actors complete control over the victim’s mobile device.
Experts investigating recently submitted Vultur samples noticed that new features were added one after the other, indicating that the malware is still being actively developed to become more powerful.
Based on these findings, it is anticipated that Vultur will soon receive additional functionality.
Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.