Security Experts:

Connect with us

Hi, what are you looking for?


Data Protection

Android Banking Trojan ‘Vultur’ Abusing Accessibility Services

A newly discovered Android banking Trojan relies on screen recording and keylogging instead of HTML overlays for the capturing of login credentials, according to security researchers at ThreatFabric.

A newly discovered Android banking Trojan relies on screen recording and keylogging instead of HTML overlays for the capturing of login credentials, according to security researchers at ThreatFabric.

Dubbed Vultur and first identified in March 2021, the malware gains full visibility into the victim device through the use of the VNC (Virtual Network Computing) implementation from AlphaVNC. Remote access to the VNC server on the device is provided through ngrok, which leverages secure tunnels to expose to the Internet endpoints located behind NATs and firewalls.

ThreatFabric said the mobile malware leverages the Accessibility Services to identify the application running in the foreground and, if the app is in the target list, the malware starts screen recording. Masquerading as an application called Protection Guard, Vultur is projecting the screen, an operation visible in the notification panel.

While it is not unusual for Android banking Trojans to leverage the Accessibility Services to conduct nefarious operations, they usually employ HTML overlays to trick users into revealing their login credentials. Vultur does employ overlay to gain access to all of the permissions it needs to run unhindered on the compromised device.

[ READ: How Low-level hackers Access High-End Malware ]

The malware also abuses the Accessibility Services to log all the keys that the user presses on the screen, as well as to prevent the victim from deleting the malware through manual uninstallation. When the user enters the app’s details screen in settings, the malware auto-clicks the back button, to bring the user back to the main screen.

Vultur targets various banking applications, mainly focusing on users in Australia, Italy, and Spain. Some victims in the Netherlands and the UK were also observed, but to a much lesser degree. The malware is very interested in harvesting crypto-wallet credentials too, and also keeps a close watch on social media applications.

According to ThreatFabric, the Vultur campaign appears linked to Brunhilda, a privately operated dropper that previously delivered Alien, a variant of the Cerberus banking malware that was observed in Google Play several months ago.

The Brunhilda sample associated with Vultur (it has the same icon, same package name, and same command and control server as a Vultur sample) has over 5.000 installs – out of more than 30.000 that Brunhilda droppers are estimated to have had through Google Play and unofficial store. 

Related: Many Security Products Fail to Detect Android Malware Variants

Related: Fake Netflix App Luring Android Users to Malware

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.


US government reminds the public that a reward of up to $10 million is offered for information on cybercriminals, including members of the Hive...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.