A new malware detected on Android, in some cases even spread by Google Play Store, is capable of turbocharging the collection of login credentials from more than 100 banking and internet applications. criptomoedas on thousands of devices.

According to researchers at Amsterdam-based cybersecurity firm ThreatFabric, the virus, called Vultur, is among the first Android threats to log a device's screen whenever one of the targeted apps is opened. 

Image: ThreatFabric – Disclosure

“Vultur uses an actual implementation of the VNC screen sharing application to mirror the infected device's screen to a server controlled by the attacker,” ThreatFabric explained to Ars Technica this Friday (30).

VNC is the acronym for Virtual Network Computing (virtual computer network, in free translation), an internet protocol that allows the visualization of remote graphical interfaces through a secure connection. This means that the person can view and access all content from another device remotely, over the internet.

Image: ThreatFabric – Disclosure

Screen mirroring of real apps is the technique used by malware

Vultur uses the typical modus operandi (MO) for malware from bank fraud for Android, which is to superimpose a window over the login screen presented by a targeted app. The “overlay,” as these windows are often called, looks identical to the banking application's UI, giving victims the impression that they are entering their credentials into trusted software. 

Attackers then harvest the credentials, insert them into the app running on a different device, and withdraw the money.

“Banking threats on the mobile platform are no longer just based on well-known overlay attacks, but are evolving into RAT-like malware, inheriting useful tricks like detecting foreground apps to initiate screen recording,” ThreatFabric researchers reveal about new approach in a post on the company's website.

Read more:

This takes the threat to another level as these features open the door to device fraud by bypassing detection based on phishing MOs that require the fraud to be performed from a new device: With Vultur, fraud can happen on the victim's own infected device. 

What's more, these attacks are scalable and automated, as actions to carry out fraud can be programmed in the malware's back-end and sent in the form of sequenced commands.

Vultur violates usage permissions set on devices to break into them

how many Trojan horses Android banking systems, Vultur depends on the configuration of accessibility services integrated into the mobile operating system. When first installed, Vultur violates these services to obtain the necessary permissions to function.

Image: ThreatFabric – Disclosure

To do this, the malware uses an overlay taken from other malware families. From there, Vultur monitors all requests that trigger accessibility services.

Malware uses the services to detect requests coming from a targeted application and also to prevent application deletion through traditional measures.

Specifically, whenever the user tries to access the application's details screen in the Android settings, Vultur automatically clicks the “back” button. This blocks user access to the uninstall button. Vultur also hides its icon.

Another way malware succeeds: The trojanized apps that install it are full-featured programs that provide real services, such as fitness tracking or two-factor authentication. 

Despite attempts at cover-up, however, the malware provides at least one telltale sign that it's running – any trojaned app installed on Vultur will show up in the Android notification panel projecting the screen.

Once installed, Vultur starts recording the screen, using the VNC implementation of a well-known Android application (O Olhar Digital is omitting the name but is included in the ThreatFabric report). To provide remote access to the VNC server running on the infected device, the malware uses an application that uses an encrypted tunnel to expose local systems hidden behind firewalls to the public Internet.

According to the company, the malware is installed by a trojanized application known as a dropper. 

So far, ThreatFabric researchers have found two Trojanized apps on Google Play that install Vultur. They had about 5 installations combined, leading technicians to estimate the number of Vultur infections to be in the thousands. 

Unlike most Android malware, which rely on third-party droppers, Vultur uses a custom dropper that is now called Brunhilda. “This dropper and Vultur are developed by the same group of threat actors,” says ThreatFabric. "The choice to develop your own private trojan, rather than renting third-party malware, shows a strong motivation from criminals, paired with the overall high level of structure and organization present in the bot, as well as the server code."

According to the researchers, Brunhilda was used in the past to install different Android banking malware known as Alien. 

Altogether, the researchers estimate that Brunhilda infected more than 30 devices. The estimate is based on malicious apps previously available from the Play Store – some with more than 10 installs each – as well as numbers from third-party marketplaces.

Vultur malware has already claimed victims in Italy, Australia and Spain

Vultur is programmed to record screens when any of 100+ Android banking or cryptocurrency applications are running in the foreground. Italy, Australia and Spain were the countries with the most banking institutions attacked.

In addition to banking and cryptocurrency apps, the malware also collects credentials for Facebook, including WhatsApp, owned by Facebook, as well as TikTok and Viber Messenger. 

The collection of credentials for these applications takes place through traditional keylogging, although the ThreatFabric post didn't explain why.

Even though Google has removed all Play Market apps known to contain Brunhilda, the company's track record suggests that new Trojanized apps are likely to appear. 

Android users should only install apps that provide useful services and then only from known publishers when possible. People should also pay close attention to user ratings and application behavior for signs of malice.

Have you watched our new videos on UAF YouTube? Subscribe to our channel!