Vultur Malware, which was previously undiscovered, has been reported using screen recording features to steal sensitive information on Android devices, including banking credentials, and open the door for on-device fraud. Vultur Malware gets its name from its use of Virtual Network Computing (VNC)’s remote screen-sharing technology to gain a full view of victims’ devices. Vultur was distributed via Google Play Store, under the guise of an app named “Protection Guard”. It received over 5000 downloads.
The primary target of Vultur Malware was banking and crypto-wallet apps located in Italy, Australia, and Spain.
“For the first time we are seeing an Android banking trojan that has screen recording and keylogging as the main strategy to harvest login credentials in an automated and scalable way,” researchers said in a report to media.
“The actors chose to steer away from the common HTML overlay development we usually see in other Android banking Trojans: this approach usually requires a larger time and effort investment from the actors to create multiple overlays capable of tricking the user. Instead, they chose to simply record what is shown on the screen, effectively obtaining the same end result.”
Traditional banking malware such as MysteryBot, Grandoreiro, Banker.BR and Vizom have traditionally relied on overlay attacks to trick victims into revealing passwords. With more recent strains, such as Vultur Malware, it seems that many hackers are moving away from this approach.
Cybersecurity firm Cleafy showed as much in a recent report, where it was observed using WebRTC to interact with the compromised Android phone in real-time. Vultur uses similar tactics in taking advantage of VNC to log all phone activities, side-stepping banks that try to detect fraud.
Vultur Malware uses ngrok, a cross-platform utility to expose local servers that are behind protection. Furthermore, it makes connecting with a command-and-control (C2) server to receive commands over Firebase Cloud Messaging (FCM), the results of which, including extracted data and screen captures, are then transmitted back to the server.
A report from ThreatFabric also connected Vultur with another well-known piece of malicious software named Brunhilda, a dropper that utilizes the Play Store to distribute different kinds of malware in what’s called a “dropper-as-a-service” (DaaS) operation, citing overlaps in the source code and C2 infrastructure used to facilitate attacks.
“The story of Vultur shows one more time how actors shift from using rented Trojans (MaaS) that are sold on underground markets towards proprietary/private malware tailored to the needs of this group,” the researchers concluded. “These attacks are scalable and automated since the actions to perform fraud can be scripted on the malware backend and sent in the form of commands sequence, making it easy for the actor(s) to hit-and-run.”
Vultur Malware Analysis
Note: This analysis was carried out by ThreatFabric.
Vultur approaches banking fraud with a Modus Operandi that is in some way different from what we usually see from Android banking trojans. The usual banking trojan MO heavily relies on abusing the overlay mechanic to trick victims into revealing their passwords and other important private information. In an overlay attack, users type their credentials in what they think is a legitimate banking app, effectively giving them to a page controlled by the attacker. Vultur, on the other hand, uses a less technically flexible yet very effective technique: screen recording.
Like the large majority of banking trojans, Vultur heavily relies on Accessibility Services. When it is first started the malware hides its app icon and right after abuses the services to obtain all the necessary permissions to operate properly. It is worth noting that the application requests for Accessibility Service access showing a WebView overlay borrowed from other malware families. In fact, the first time we saw this WebView was with Alien banking malware.
Whenever any new event triggers the Accessibility Event service, the bot checks if it is coming from an application that is part of the list of keylogging targets. If so, then it uses Accessibility Services to log everything typed by the user.
In addition to keylogging the services are used to stop the user from deleting the application from the device using the traditional procedures, like going into the settings and manually uninstalling the application. Whenever the user reaches the app details screen, the bot automatically clicks the back button, sending the user to the main settings screen, effectively not allowing access to the uninstall button.
The main VNC-like features are implemented in native code. All the functionalities, like for example the function nstart_vnc() in the code below, are included in the libavnc.so library, which is interfaced to the application using a wrapper class.
Below is a complete list of the methods supported by the bot. These are the commands that the bot can send to the C2 to request, or to send back, information:
SaferNet is the perfect solution to the cybersecurity issues that individuals, families, and businesses face today. It not only connects every device using a secure, 24/7 always on, military grade VPN, but it also stops outside cyberthreats, malware and viruses as well. On SaferNet, all users are protected anywhere in the world, all the time, on any cellular or Wi-Fi network. In addition to SaferNet’s VPN and cyber protection, it also offers a range of employee or parental/family internet controls including internet filtering, monitoring, scheduling, and blocking access to websites or even entire website categories
Typically, a business or family would need 3 separate services for a VPN, Malware Protection, and Internet Controls; SaferNet offers all 3 features in one service. SaferNet truly is an endpoint security presence that can be implemented in minutes around the world, on phones, laptops, tablets, and computers at an economical price point that caters to all sizes of businesses and families. SaferNet guarantees a smooth setup and installation process that takes only minutes, and an easily accessible control hub for you to monitor all your employee’s or family members devices; including activity, time spent online, and threats blocked.