Unveiling Vultur: The Android Malware Disguised as Security Software
In the ever-evolving landscape of cybersecurity threats, a new player has emerged with a sophisticated set of tools designed to breach the defenses of Android devices. Known as Vultur, this banking malware has recently upgraded its arsenal, enabling operators to establish remote interactions with the infected mobile devices seamlessly.
What sets Vultur apart is its cunning ability to masquerade as legitimate applications, all the while encrypting its command and control (C2) communications. This encryption is achieved through the use of dynamic payloads that are meticulously decrypted, ensuring that its malicious undertakings remain shrouded in secrecy.
The malware boasts intrusive capabilities such as keylogging and screen interaction, with a particular focus on commandeering banking applications. These features allow for remote control and the covert recording of keystrokes, posing a significant threat to financial security.
Originally identified by ThreatFabric in March 2021, Vultur has historically exploited ngrok and AlphaVNC—two legitimate software applications—to gain remote access to the VNC server on the victim’s device.
Interestingly, Vultur’s deployment strategy involves the use of a dropper framework named Brunhilda, which cleverly distributes malicious apps via the Google Play Store. Fox-IT revealed to Cyber Security News that Vultur’s latest campaign involves a hybrid attack, utilizing both SMS and phone calls to ensnare victims.
The attack begins with an SMS message, prompting the victim to make a phone call. During this call, the fraudster sends a second SMS containing a link to the dropper—a modified version of the McAfee Security app. This clever ruse lends an air of legitimacy to the malicious software, making it more likely for the victim to install it.
- The malware can download, upload, delete, install, and locate files on the infected device.
- It leverages Android Accessibility Services to control the device, enabling it to perform gestures such as swipes and clicks, and even mute or unmute audio.
- Vultur can prevent certain apps from running and display custom notifications.
- It has the ability to disable Keyguard, effectively bypassing lock screen security measures.
These advancements in Vultur’s functionality highlight the malware’s evolution towards greater stealth and control. For instance, it can now block the victim from interacting with specific apps, forcing them to the background whenever they are detected as running on the device.
The Intricacies of Vultur’s Attack Chain
The infection process is both intricate and deceptive. It starts with an SMS message that falsely alerts the victim of a large, unauthorized transaction, urging them to call a provided number. This sense of urgency is a psychological trick designed to prompt immediate action from the victim.
During the subsequent phone call, a second SMS is sent with a link to the trojanized McAfee Security app. Once installed, the Brunhilda dropper activates, decrypting and executing three payloads associated with Vultur, thus granting the attackers full control over the device.
Recent investigations into Vultur samples have revealed a continuous addition of new features, suggesting that the malware is under active development to enhance its capabilities. This ongoing evolution of Vultur indicates that we can expect it to gain even more functionalities in the near future.
For the latest insights and updates in the realm of cybersecurity, be sure to follow us on blank” rel=”noreferrer noopener nofollow”>LinkedIn and
