Android Users Plagued by the Vultur Data Collecting RAT

android vulture rat malwareSecurity researchers have just spotted a new Remote Access Trojan (RAT) that has been harvesting data from Android-based devices across the globe. Dubbed Vultur, the RAT is capable of collecting login credentials and banking details and triggering remote code execution (RCE) on any infected device.

A Devil in Disguise

Unlike other forms of malware that typically rely on spam and sponsored links to propagate, Vultur’s creators have decided to give the RAT a somewhat misleading name — "Protection Guard." The latter is up on the official Google Play store and has been downloaded more than five thousand times since its inception. While such a parasite could reach millions of Android devices in the twinkling of an eye, Vultur has adopted a custom approach of only targeting Android users who have installed at least one (or more) digital currency coining application.

The First Android Threat to Utilize VNC

Never before has there been an Android-targeted Trojan capable of taking an iron grip on a mobile device. The key to Vultur’s success as a piece of malware is the use of Virtual Network Computing, or VNC, which allows the RAT to carry out automated remote-screen recording and keylogging. Thus, Vultur appears to do more damage than its overlay attack-based counterparts, even though the latter is much more common. In an overlay attack, a Trojan such as Banker.BR, MysteryBot, or Grandoreiro, will create a fake login page and load it every time you open your genuine banking application to collect passwords, usernames, etc. In a VNC attack, a Trojan such as Vultur will make a video recording of whatever it spots on the screen. To do that, the RAT needs to get the target's permission to keep a log of keystrokes, Web browsing, multimedia, etc. It also catches the private contents of the local servers and sets up a bridge with an active C&C server.

Connections to Brunhilda

The Vultur RAT is similar to the infamous Brunhilda malware since both appear on the official GooglePlay Store masked as simple PC optimization tools. Those tools, however, often tend to execute malware instead of fixing the bugs on your system. Both the Vultur RAT and Brunhilda developed from scratch rather than rented or bought from the Dark Web.