Enhanced Threat: The Evolution of Vultur Malware
In the ever-evolving landscape of cybersecurity threats, a new iteration of the Vultur banking trojan has emerged, masquerading as a legitimate security application to siphon off sensitive data from Android users. Security experts have identified that this latest variant boasts sophisticated remote control features and a more robust evasion mechanism, heightening the risk for unsuspecting users.
A detailed analysis by Fox-IT, a division of the NCC Group, and reported by Bleeping Computer, has brought to light the cunning strategies employed by cybercriminals to disseminate this stealthier version of Vultur through a hybrid assault. This approach combines smishing—a deceptive technique involving SMS phishing—with phone calls designed to dupe victims into downloading a counterfeit version of the McAfee Security app.
The infection process unfolds as victims receive an SMS, falsely alerting them of an unauthorized transaction and urging them to call a specified number for assistance. When the victim makes the call, they are met by a scammer who convinces them to open a link sent via a follow-up SMS. This link leads them to a fraudulent site where the imitation McAfee Security app is available for download.
The bogus app harbors the ‘Brunhilda’ malware dropper, which, upon installation, unleashes three Vultur-associated payloads—two APKs and a DEX file. These payloads are capable of commandeering the Accessibility Services, activating remote control functionalities, and establishing a link with the malware’s command and control (C2) server.
The new Vultur variant introduces a suite of alarming features, including:
- File management capabilities that allow for downloading, uploading, deletion, installation, and location of files on the compromised device.
- Manipulation of Accessibility Services to simulate clicks, scrolls, and swipes.
- Prevention of specific apps from launching, coupled with the display of custom HTML or a “Temporarily Unavailable” message to deceive the user.
- Generation of misleading notifications in the status bar.
- Disabling of the Keyguard to circumvent lock screen security, granting unfettered device access.
In addition to these functionalities, the Vultur malware now incorporates advanced evasion tactics. It encrypts its communications with the C2 server using AES and Base64, deploys multiple encrypted payloads that are decrypted as needed, and mimics legitimate applications to carry out its nefarious activities undetected.
The malware’s reliance on native code to decrypt payloads further complicates the reverse engineering process, providing an additional layer of stealth to elude detection mechanisms. Android users are advised to remain vigilant, scrutinize the sources of their app downloads, and be wary of unsolicited communications that could potentially lead to malware installation.
