A new version of a well-known Android banking Trojan is making rounds on the Internet, stealing sensitive data and possibly even money from its victims.
Cybersecurity researchers at NCC Group’s Fox-IT sounded the alarm about a new, upgraded version of the Vultur banking Trojan, which was first spotted in early 2021 but has since undergone a number of significant changes and upgrades.
While previous versions were distributed via dropper apps smuggled into the Play Store, this new version uses a combination of smishing and legitimate app exploits. The researchers said the attackers would first send a text message to their victims, alerting them to an unauthorized payment transaction and sharing a phone number for the victim to call.
Complete takeover
If the victim takes the bait and calls the number, the attacker convinces him to download a compromised version of the McAfee Security app. While the app works as intended on the surface, it provides the Brunhilda malware dropper in the background. This dropper drops three payloads, including two APKs and a DEX file that, after obtaining accessibility services, establishes a connection to the command and control (C2) server and gives the attackers remote control over the Android device.
For a Trojan, Vultur is quite competent. It can record the screen, record keystrokes and grant the attackers remote access via AlphaVNC and ngrok. In addition, attackers can download and upload files, install apps, delete files, click, scroll and swipe around the device, and block the operation of various apps. It can also display custom notifications and disable Keyguard to bypass the lock screen.
Finally, Vultur encrypts its C2 communications to further evade detection.
As usual, the best way to protect against these threats is to use common sense and download apps only from legitimate, proven repositories.
Through BleepingComputer