Vultur Android Malware

Vultur Android Malware Description

A new Android banking Trojan has been discovered by the researchers. They named it Vultur and disclosed information about some of its characteristics, which appear to be used for the first time in a malware threat of this type. However, the end goal of the threat is still to obtain the banking credentials and other sensitive user information and exfiltrate the data to the cybercriminals' server. So far, Vultur is targeting the applications of banking and crypto-related entities from several countries, with the primary focus being on Italy, Australia and Spain.  

Initial Attack Vector and Capabilities

Vultur disguised itself as a fake security application named 'Protection Guard,' which was available for download on the Google Play store. Before it was taken down, the threatening app had managed to amass around 5,000 downloads. Once inside the user's device, Vultur unveils its true harmful potential. 

Instead of the typical overlay attack method observed in most other banking Trojans, Vultur employs a new technique. It uses Virtual Network Computing (VNC)'s remote screen-sharing capabilities to illicitly start tracking all activities conducted onto the compromised device. To facilitate remote access to the VNC server that is running locally on the device, the threat deploys a cross-platform utility known as 'ngrok.' Finally, to initiate its keylogging routines, Vultur exploits the Accessibility Services on the device, a common behavior associated with banking Trojans. 

Relation to Another Malware

Researchers also discovered some links between Vultur and a previously detected dropper threat named Brunhilda. The dropper has been part of several documented unsafe operations and is believed to be offered in a MaaS (Malware-as-a-Service) scheme. It can deliver different malware types to the victim's devices and is usually distributed via weaponized applications on the Play Store. The overlaps between the two threats were found inside the source code and the Command-and-Control (C2, C&C) infrastructure of the attacks.