Security experts have uncovered a fresh iteration of the Vultur banking trojan designed for Android devices. This updated version boasts enhanced remote control capabilities and an improved evasion strategy, posing a significant threat to mobile users.
Aside from its dangerous capabilities, it can also disguise itself as a McAfee security app, making those people looking for reliable antivirus software an easy target.
Evolution of Vultur Banking Trojan
(Photo : Rami Al-zayat from Unsplash)
ThreatFabric has discovered that the Vultur banking trojan has a newer and more dangerous version which could bypass typical security system.
Initially identified by researchers at ThreatFabric in March 2021, Vultur gained notoriety in late 2022 when it infiltrated Google Play via dropper apps.
By the end of 2023, Zimperium recognized Vultur as one of the most active banking trojans, with variants targeting numerous banking apps across 15 countries.
Related Article: Malware Alert: Anatsa Banking Trojan Has Recorded Over 150,000 Infections on Google Play
Hybrid Attack Method
A recent report from Fox-IT, a division of the NCC Group, highlights Vultur's evolution into a more evasive form, utilizing a hybrid attack approach that leverages smishing and phone calls.
Victims are deceived into installing a fake McAfee Security app, unwittingly introducing the trojan into their devices.
Vultur's Latest Infection Chain
The updated Vultur infection chain commences with a deceptive SMS alert prompting victims to call a specified number.
Subsequent interaction with fraudsters leads victims to download a Trojanized version of the McAfee Security app, harboring the malicious 'Brunhilda' dropper.
Enhanced Capabilities
The newest iteration of Vultur retains previous functionalities like screen recording and keylogging while introducing novel features. Bleeping Computer listed what this Android banking trojan can do:
- File Management Actions: Including download, upload, deletion, installation, and file search.
- Accessibility Services Utilization: Enabling clicks, scrolls, and swipes.
- App Blocking: Preventing specific apps from running or displaying customized messages.
- Custom Notifications: Misleading victims with false notifications in the status bar.
- Keyguard Disablement: Bypassing lock screen security measures for unrestricted access.
Advanced Evasion Mechanisms
To evade detection, the latest Vultur version employs encryption for C2 communications, dynamic decryption of payloads, and disguises malicious activities as legitimate processes. Native code decryption complicates reverse engineering efforts, enhancing stealth.
The rapid evolution of Vultur suggests ongoing development efforts to bolster its capabilities further. With a focus on enhancing remote control functionalities, future iterations may pose even greater risks to Android users.
How to Protect Yourself From Vultur Banking Trojan
To mitigate the risk of Vultur infections, Android users should adhere to the following best practices:
- Source Verification: Download apps exclusively from trusted platforms like Google Play.
- Caution with URLs: Refrain from clicking on suspicious links in messages or emails.
- Permission Scrutiny: Review app permissions before installation, granting access only to essential functionalities.
- Vigilance: Stay informed about emerging threats and adopt proactive security measures.
In late December, another banking malware dubbed "Chameleon" has been disrupting biometric operations on Android. At that time, ThreatFabric said that this trojan expanded its scope, affecting users from Italy and the UK.
Read Also: Researchers Warn VR Headsets Can Leave Your Data Vulnerable to Hacking
