Researchers warn of Vultur Trojan attempting to steal banking credentials from Android devices

Researchers warn of Vultur Trojan attempting to steal banking credentials from Android devices

Image:
Researchers warn of Vultur Trojan attempting to steal banking credentials from Android devices

The malware initiates screen recording session if the app running in the foreground is in its target list

Researchers at cyber security firm ThreatFabric have published a report warning of a new kind of malware that is attempting to steal banking credentials of Android users through screen recordings.

Dubbed Vultur, this banking Trojan makes its way onto Android devices via a dropper called Brunhilda, which has been found in several fitness, phone-security and authentication apps available on Google Play.

About 30,000 Android devices are thought to have been infected with Brunhilda to date, meaning that thousands of Android users have likely been infected with Vultur.

Like other malware targeting Android devices, Vultur also begins its compromise by exploiting Android Accessibility Services designed to help users customise their devices.

Vultur's technique for stealing login details from the infected device is also different from other banking Trojans.

In previously observed banking Trojan attacks, threat actors have mostly relied on overlay techniques, where they trick users into believing that they are typing their login credentials in a legitimate banking app. That approach usually requires more effort and time to steal user data, according to researchers.

Vultur, on the other hand, uses code to recognise when a user is filling a data entry form. It then uses the device's Virtual Network Computing (VNC) to record the screen, begins keylogging also via VNC and sends all captured data to a malicious site operated by the attackers.

"The biggest threat that Vultur offers is its screen recording capability. The Trojan uses Accessibility Services to understand what application is in the foreground. If the application is part of the list of targets, it will initiate a screen recording session," the report notes.

While Vultur has been designed to mainly harvest banking login credentials, the researchers say they have also observed instances where hackers carried out keylogging for social media apps, including Facebook, TikTok and WhatsApp. In a limited number of cases, the malware was also seen targeting cryptocurrency apps.

"The story of Vultur shows again how actors shift from using rented Trojans (MaaS) that are sold on underground markets towards proprietary/private malware tailored to the needs of the actor," the report adds.

"With Vultur, fraud can happen on the infected device of the victim. These attacks are scalable and automated since the actions to perform fraud can be scripted on the malware back-end."

Vultur has so far mostly infected devices in Italy, Australia, UK and the Netherlands, according to the researchers.

To protect themselves from a Vultur malware attack, the researchers advise users not to let the infected app use the Accessibility Services in their device.

When Vultur transmits data to its central server, the system shows active 'casting' icon in the Android notifications. If a user is not casting something but the icon still appears in the notification, it indicates a security issue with the device.