Researchers Uncover New Android Banking Malware
Account Takeover Fraud
,
Cybercrime
,
Cybercrime as-a-service
Threatfabric Says Vultur uses Screen Recording to Target Victims
A newly uncovered banking Trojan dubbed “Vultur” is targeting Android users through screen recording to capture the victim’s banking credentials, a new report by security firm Threatfabric says.
See Also: Live Webinar | A Roadmap to Next-Generation Anti-Money Laundering
The latest campaign has been active since September 2020 and is being spread by malicious actors as a legitimate app in Google Play Store. However, what makes Vultur unique is its attack techniques, the researchers add.
“The usual banking Trojan MO heavily relies on abusing the overlay mechanic to trick victims into revealing their passwords and other important private information,” the report notes. “In an overlay attack, users type their credentials in what they think is a legitimate banking app, effectively giving them to a page controlled by the attacker. Vultur, on the other hand, uses a less technically flexible yet very effective technique: screen recording.”
The Threatfabric report further notes the malware is actively targeting banking app users across Italy, Australia and Spain.
Attack Tactics
Like most Android malware, Vultur begins its compromise by exploiting Android Accessibility Services designed to customize user interactions with their device. To exploit this feature, the malware first disguises itself as a legitimate two-factor authentication app or as a fitness app.
Once downloaded, the malware hides its app icon and then proceeds to exploit the Accessibility Services to obtain all the required permissions. This in turn helps Vultur to perform keylogging and prevent users from deleting the app from the device.
The Trojan then performs screen recording of the device’s Virtual Network Computing which allows remote access to the device’s screen. “The biggest threat that Vultur offers is its screen recording capability. The Trojan uses Accessibility Services to understand what application is in the foreground. If the application is part of the list of targets, it will initiate a screen recording session,” the report notes.
The malware then exfiltrates credentials data from a set of short-listed apps and then sends it to its command and control servers.
Links to Other Strains
Threatfabric researchers say an analysis of the malware infrastructure revealed that Vultur is potentially linked to a malware dropper called BurnHilda. In December 2020, BurnHilda was tied to a banking malware campaign that distributed the Trojan as legitimate banking apps, according to a report by security firm Prodaft.
The malware then dropped Alien malware on the victim’s device, which then snooped on the any newly downloaded apps.
Targeting Android
While Google has put more money and effort into securing its app store, fraudsters and hackers keep changing their tactics to get malicious apps posted on the platform.
During July. security firm Trend Micro uncovered a campaign led by hack-for-hire firms that deployed Android malware to target visitors to Syria’s e-government website as part of its latest cyberespionage campaign (see: Mercenary Hacking Group Deploys Android Malware).
Earlier in July, security firm Cybereason found another campaign in which hackers deployed an updated version of the FakeSpy infostealer to target Android devices using SMS phishing messages (see: FakeSpy Android Malware Disguised as Postal Service Messages).