Security scientists discovered a brand-new variation of the Vultur banking trojan for Android that consists of advanced push-button control abilities and an enhanced evasion system.
Scientists at scams detection business ThreatFabric initially recorded the malware in March 2021, and in late 2022, they observed it being dispersed over Google Play through dropper apps.
At the end of 2023, mobile security platform Zimperium consisted of Vultur in its leading 10 most active banking trojans for the year, keeping in mind that 9 of its variations targeted 122 banking apps in 15 nations.
A report from Fox-ITpart of the NCC Group, cautions that a brand-new, more incredibly elusive variation of Vultur infects victims through a hybrid attack that counts on smishing (SMS phishing) and telephone call that deceive the targets into setting up a variation of the malware that masquerades as the McAfee Security app.
Vultur’s brand-new infection chain
Vultur’s newest infection chain begins with the victim getting an SMS message signaling of an unapproved deal and advising to call a supplied number for assistance.
The call is responded to by a scammer who encourages the victim to open the link showing up with a 2nd SMS, which directs to a website that uses a customized variation of the McAfee Security app
Inside the trojanized McAfee Security app is the ‘Brunhilda’ malware dropper.
Upon setup, the app decrypts and carries out 3 Vultur-related payloads (2 APKs and a DEX file) that acquire access to the Accessibility Services, initialize the push-button control systems, and develop a connection with the command and control (C2) server.
New abilities
The most recent variation of Vultur malware that scientists examined keeps a number of crucial functions from older models, such as screen recording, keylogging, and remote gain access to by means of AlphaVNC and ngrok, enabling aggressors real-time tracking and control.
Compared to old versions, the brand-new Vultur has actually presented a series of brand-new functions, consisting of:
- Submit management actions consisting of download, upload, removal, setup, and discovering files on the gadget.
- Usage of Accessibility Services to carry out clicks, scrolling, and swiping gestures.
- Obstructing particular apps from carrying out on the gadget, showing custom-made HTML or a “Temporarily Unavailable” message to the user.
- Showing customized notices in the status bar to misguide the victim.
- Disable Keyguard to bypass lock screen security and gain unlimited access to the gadget.
In addition to these functions, the most recent Vultur variation has actually likewise included brand-new evasion systems, such as securing its C2 interactions (AES + Base64), utilizing several encrypted payloads that are decrypted on the fly when required, and masquerading its destructive activities under the guise of genuine apps.
In addition, the malware utilizes native code to decrypt the payload, that makes the reverse engineering procedure harder and likewise assists avert detection.
The scientists keep in mind that Vultur’s designers appear to have actually concentrated on enhancing the push-button control function over contaminated gadgets with commands for scrolling, swipe gestures, clicks, volume control, and obstructing apps from running.
It is clear that the author of the malware has actually made an effort to enhance the malware’s stealth and to include brand-new functions at a quick speed, showing that future variations will likely include more abilities.
To lessen the threat of malware infections on Android, users are advised to download apps just from credible repositories, like Android’s main app shop, Google Play, and prevent clicking URLs in messages.
It is constantly a great concept to examine the approvals an app demands when set up and ensure that you consent just to those required for the app’s core performance. A password management app ought to not need access to the phone’s cam or microphone.