Connect with us

Hi, what are you looking for?


Data Protection

Android Banking Trojan ‘Vultur’ Abusing Accessibility Services

A newly discovered Android banking Trojan relies on screen recording and keylogging instead of HTML overlays for the capturing of login credentials, according to security researchers at ThreatFabric.

A newly discovered Android banking Trojan relies on screen recording and keylogging instead of HTML overlays for the capturing of login credentials, according to security researchers at ThreatFabric.

Dubbed Vultur and first identified in March 2021, the malware gains full visibility into the victim device through the use of the VNC (Virtual Network Computing) implementation from AlphaVNC. Remote access to the VNC server on the device is provided through ngrok, which leverages secure tunnels to expose to the Internet endpoints located behind NATs and firewalls.

ThreatFabric said the mobile malware leverages the Accessibility Services to identify the application running in the foreground and, if the app is in the target list, the malware starts screen recording. Masquerading as an application called Protection Guard, Vultur is projecting the screen, an operation visible in the notification panel.

While it is not unusual for Android banking Trojans to leverage the Accessibility Services to conduct nefarious operations, they usually employ HTML overlays to trick users into revealing their login credentials. Vultur does employ overlay to gain access to all of the permissions it needs to run unhindered on the compromised device.

[ READ: How Low-level hackers Access High-End Malware ]

The malware also abuses the Accessibility Services to log all the keys that the user presses on the screen, as well as to prevent the victim from deleting the malware through manual uninstallation. When the user enters the app’s details screen in settings, the malware auto-clicks the back button, to bring the user back to the main screen.

Vultur targets various banking applications, mainly focusing on users in Australia, Italy, and Spain. Some victims in the Netherlands and the UK were also observed, but to a much lesser degree. The malware is very interested in harvesting crypto-wallet credentials too, and also keeps a close watch on social media applications.

Advertisement. Scroll to continue reading.

According to ThreatFabric, the Vultur campaign appears linked to Brunhilda, a privately operated dropper that previously delivered Alien, a variant of the Cerberus banking malware that was observed in Google Play several months ago.

The Brunhilda sample associated with Vultur (it has the same icon, same package name, and same command and control server as a Vultur sample) has over 5.000 installs – out of more than 30.000 that Brunhilda droppers are estimated to have had through Google Play and unofficial store. 

Related: Many Security Products Fail to Detect Android Malware Variants

Related: Fake Netflix App Luring Android Users to Malware

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...