CONFERENCE Now Live: CISO Forum Virtual Summit - Join Event In-Progress
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

Android Banking Trojan ‘Vultur’ Abusing Accessibility Services

A newly discovered Android banking Trojan relies on screen recording and keylogging instead of HTML overlays for the capturing of login credentials, according to security researchers at ThreatFabric.

A newly discovered Android banking Trojan relies on screen recording and keylogging instead of HTML overlays for the capturing of login credentials, according to security researchers at ThreatFabric.

Dubbed Vultur and first identified in March 2021, the malware gains full visibility into the victim device through the use of the VNC (Virtual Network Computing) implementation from AlphaVNC. Remote access to the VNC server on the device is provided through ngrok, which leverages secure tunnels to expose to the Internet endpoints located behind NATs and firewalls.

ThreatFabric said the mobile malware leverages the Accessibility Services to identify the application running in the foreground and, if the app is in the target list, the malware starts screen recording. Masquerading as an application called Protection Guard, Vultur is projecting the screen, an operation visible in the notification panel.

While it is not unusual for Android banking Trojans to leverage the Accessibility Services to conduct nefarious operations, they usually employ HTML overlays to trick users into revealing their login credentials. Vultur does employ overlay to gain access to all of the permissions it needs to run unhindered on the compromised device.

[ READ: How Low-level hackers Access High-End Malware ]

The malware also abuses the Accessibility Services to log all the keys that the user presses on the screen, as well as to prevent the victim from deleting the malware through manual uninstallation. When the user enters the app’s details screen in settings, the malware auto-clicks the back button, to bring the user back to the main screen.

Vultur targets various banking applications, mainly focusing on users in Australia, Italy, and Spain. Some victims in the Netherlands and the UK were also observed, but to a much lesser degree. The malware is very interested in harvesting crypto-wallet credentials too, and also keeps a close watch on social media applications.

According to ThreatFabric, the Vultur campaign appears linked to Brunhilda, a privately operated dropper that previously delivered Alien, a variant of the Cerberus banking malware that was observed in Google Play several months ago.

Advertisement. Scroll to continue reading.

The Brunhilda sample associated with Vultur (it has the same icon, same package name, and same command and control server as a Vultur sample) has over 5.000 installs – out of more than 30.000 that Brunhilda droppers are estimated to have had through Google Play and unofficial store. 

Related: Many Security Products Fail to Detect Android Malware Variants

Related: Fake Netflix App Luring Android Users to Malware

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Secure enterprise browser provider Menlo Security has appointed Bill Robbins as President.

Erik Rolf has joined Booz Allen Hamilton as the Business Information Security Officer (BISO) of Commercial Sector.

Gant Redmon has joined Trustle as its new Chief Executive Officer and Board Director.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.