A newly discovered Android banking Trojan relies on screen recording and keylogging instead of HTML overlays for the capturing of login credentials, according to security researchers at ThreatFabric.
Dubbed Vultur and first identified in March 2021, the malware gains full visibility into the victim device through the use of the VNC (Virtual Network Computing) implementation from AlphaVNC. Remote access to the VNC server on the device is provided through ngrok, which leverages secure tunnels to expose to the Internet endpoints located behind NATs and firewalls.
ThreatFabric said the mobile malware leverages the Accessibility Services to identify the application running in the foreground and, if the app is in the target list, the malware starts screen recording. Masquerading as an application called Protection Guard, Vultur is projecting the screen, an operation visible in the notification panel.
While it is not unusual for Android banking Trojans to leverage the Accessibility Services to conduct nefarious operations, they usually employ HTML overlays to trick users into revealing their login credentials. Vultur does employ overlay to gain access to all of the permissions it needs to run unhindered on the compromised device.
The malware also abuses the Accessibility Services to log all the keys that the user presses on the screen, as well as to prevent the victim from deleting the malware through manual uninstallation. When the user enters the app’s details screen in settings, the malware auto-clicks the back button, to bring the user back to the main screen.
Vultur targets various banking applications, mainly focusing on users in Australia, Italy, and Spain. Some victims in the Netherlands and the UK were also observed, but to a much lesser degree. The malware is very interested in harvesting crypto-wallet credentials too, and also keeps a close watch on social media applications.
According to ThreatFabric, the Vultur campaign appears linked to Brunhilda, a privately operated dropper that previously delivered Alien, a variant of the Cerberus banking malware that was observed in Google Play several months ago.
The Brunhilda sample associated with Vultur (it has the same icon, same package name, and same command and control server as a Vultur sample) has over 5.000 installs – out of more than 30.000 that Brunhilda droppers are estimated to have had through Google Play and unofficial store.