A fresh edition of a familiar Android banking trojan is circulating online, snatching vital information, and potentially cash, from its targets.
NCC Group’s Fox-IT cybersecurity experts raised concerns about an enhanced variant of the Vultur banking trojan, initially detected in early 2021 but significantly modified and enhanced since then.
Instead of relying solely on dropper apps hidden within the Play Store, this updated version employs a blend of smishing and legitimate app exploitation. Attackers start by sending SMS alerts to their victims, notifying them of unauthorized transactions and providing a phone number to contact.
If the victim falls for the trap and contacts the provided number, the attacker convinces them to install a compromised version of the McAfee Security app. Although the app appears normal, it secretly deploys the Brunhilda malware dropper in the background. This dropper unleashes three payloads, comprising two APKs and a DEX file. These files, upon acquiring Accessibility Services, establish a connection with the command and control (C2) server, enabling the attackers to control the Android device remotely.
Vultur, as a trojan, demonstrates remarkable proficiency. It can capture screen activity, log keystrokes, and provide attackers with remote access via AlphaVNC and ngrok. Additionally, it empowers attackers to transfer files, manage apps, delete files, navigate through the device, and block specific apps. It can also generate customized notifications and bypass the lock screen by disabling the Keyguard.
Furthermore, Vultur encrypts its C2 communications to enhance its stealthiness.
To safeguard against such threats, it is advisable to exercise caution and exclusively download apps from credible, verified sources.