Connect with us

Hi, what are you looking for?


Malware & Threats

‘Vultur’ Android Malware Gets Extensive Device Interaction Capabilities

NCC Group researchers warn that the Android banking malware ‘Vultur’ has been updated with device interaction and file tampering capabilities.

The Android banking malware known as Vultur has been updated with new capabilities, allowing operators to interact with the infected devices and modify files, according to a report from security consulting outfit NCC Group.

Vultur was first documented in March 2021, when it stood out for the abuse of the legitimate applications AlphaVNC and ngrok for remotely accessing the VNC server on the victim device, and for automating screen recording and key-logging for credential harvesting.

The most recent version of the banking malware, however, packs significantly more capabilities, allowing attackers to control the infected device, prevent applications from running, display custom notifications, bypass lock-screen protections, and download, upload, install, search for, and delete files.

The new features, according to the NCC Group report, are mostly related to the remote interaction with the infected device, but the malware continues to rely on AlphaVNC and ngrok for remote access.

In addition, Vultur features updated anti-analysis and detection evasion techniques, spreading the malicious code over multiple payloads, modifying legitimate applications, using native code for payload decryption, and relying on AES encryption for command-and-control (C&C) communication.

The infection chain starts with a SMS message instructing the victim to call a phone number to resolve a large transaction that they did not authorize. During the call, a second SMS message that includes a link to a modified McAfee Security package is received.

The modified application contains the functionality of the legitimate McAfee Security software, along with the dropper-framework called Brunhilda, which deploys Vultur via three payloads, the last two designed to invoke each other’s functionality.

The NCC Group report notes that Brunhilda first registers with its C&C server, which delivers the first payload, designed to obtain Accessibility Service privileges and install the next stage. The second payload contains the AlphaVNC and ngrok setup, while the third, a Dalvik Executable (DEX) file, contains the core backdoor functionality.

Advertisement. Scroll to continue reading.

For remote interaction with the infected device, the malware includes seven new C&C methods, allowing the attackers to perform “clicks, scrolls, swipe gestures, and more”, and 41 new commands related to Firebase Cloud Messaging (FCM), a messaging service provided by Google.

“The message sent by the malware operator through FCM can contain a command, which, upon receipt, triggers the execution of corresponding functionality within the malware. This eliminates the need for an ongoing connection with the device,” NCC Group explains.

The latest version of Vultur can also prevent the user from interacting with applications on the device, which are defined in a list provided by the attacker.

“Android users are automatically protected against known versions of this malware by Google Play Protect, which is on by default on Android devices with Google Play Services. Google Play Protect can warn users or block apps known to exhibit malicious behavior, even when those apps come from sources outside of Play,” a Google spokesperson said in an emailed statement.

*Updated with statement from Google.

Related: VPN Apps on Google Play Turn Android Devices Into Proxies

Related: Anatsa Android Trojan Continues to Spread via Google Play

Related: Chameleon Android Malware Can Bypass Biometric Security

Written By

Ionut Arghire is an international correspondent for SecurityWeek.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Shay Mowlem has been named CMO of runtime and application security company Contrast Security.

Attack detection firm Vectra AI has appointed Jeff Reed to the newly created role of Chief Product Officer.

Shaun Khalfan has joined payments giant PayPal as SVP, CISO.

More People On The Move

Expert Insights

Related Content


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...


An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Mobile & Wireless

Samsung smartphone users warned about CVE-2023-21492, an ASLR bypass vulnerability exploited in the wild, likely by a spyware vendor.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.