An Android banking Trojan called Vultur has resurfaced with a range of new features and improved anti-analysis and detection avoidance techniques, allowing its operators to remotely interact with mobile devices and collect sensitive data.
“Vultur has also begun to disguise more malicious activity by encrypting its C2 communications, using multiple encrypted payloads that decrypt on the fly, and using the guise of legitimate applications to carry out its malicious actions,” NCC Group researcher Joshua Kamp said. A report released this week.
Vultur was first revealed in early 2021, and the malware is capable of leveraging Android’s Accessibility Services API to perform its malicious operations.
The malware was observed to be distributed via Trojan-laden applications in the Google Play Store, masquerading as authenticator and productivity applications and tricking unsuspecting users into installing them. These dropper applications are provided as part of a Dropper as a Service (DaaS) operation called Brunhilda.
Other attack chains observed by NCC Group include the use of a combination of text messages and phone calls to deliver implants (a technique known as Telephone Oriented Attack Delivery (TOAD)), ultimately delivering updated versions of the malware.
“The first text message directed the victim to make a phone call,” Kemp said.When the victim calls the number, the scammer provides the victim with a second text message that contains a link to the implant: Modified version [legitimate] McAfee Security App. “
The original text message was designed to induce a false sense of urgency by instructing the recipient to call a number to authorize a non-existent transaction involving a large amount of money.
Once installed, the malicious implant executes three related payloads (two APKs and a DEX file), which register the bot with the C2 server, obtain ancillary services for remote access via AlphaVNC and ngrok, and Execute commands obtained from the C2 server.
One of Vultur’s standout features is its ability to remotely interact with infected devices, including clicking, scrolling, and swiping through Android’s accessibility services, as well as downloading, uploading, deleting, installing, and finding files.
Additionally, the malware can prevent victims from interacting with a predefined list of applications, display custom notifications in the status bar, and even disable Keyguard to bypass lock screen security.
“Recent developments in Vultur demonstrate a shift in focus toward maximizing remote control of compromised devices,” Camp said.
“With the ability to issue commands for scrolling, swipe gestures, clicks, volume controls, preventing apps from running and even merging file manager functions, it’s clear that the main goal is to gain complete control over the infected device.”
This development comes as Team Cymru revealed the Octo (also known as Coper) Android banking Trojan’s transformation into a malware-as-a-service operation, offering its services to other threat actors for information theft.
“The malware provides a variety of advanced features, including keylogging, SMS and push notification interception, and device screen control,” the company said.
“It uses various injections to steal sensitive information such as passwords and login credentials by displaying fake screens or overlays. Additionally, it leverages VNC (Virtual Network Computing) to remotely access the device, thus enhancing its monitoring capabilities.”
The Octo campaign is estimated to have compromised 45,000 devices, primarily in Portugal, Spain, Turkey, and the United States. Other victims were located in France, the Netherlands, Canada, India and Japan.
The findings also emerged of a new campaign targeting Android users in India, which distributes malicious APK packages posing as online booking, billing and courier services through malware-as-a-service (MaaS) offerings.
Symantec, a unit of Broadcom, said in an announcement that the malware “aims to steal banking information, text messages and other confidential information from the victim’s device.”
