Vultur’s Enhanced Evasion and Remote Control
In the ever-evolving landscape of cybersecurity threats, a new iteration of the Vultur banking trojan has been identified, boasting more sophisticated remote control features and an enhanced ability to evade detection. Security experts at ThreatFabric first encountered the malware in early 2021, and by the latter part of 2022, it had been spotted on Google Play, cleverly concealed within seemingly innocuous dropper apps.
As the year drew to a close, Vultur had secured a spot on Zimperium’s list of the top ten most active banking trojans, with its variants aggressively targeting a multitude of banking applications across various countries. A recent report from Fox-IT, a division of the NCC Group, has shed light on a new, more elusive version of Vultur that employs a combination of smishing and voice calls to deceive victims into downloading a fake McAfee Security app laden with the malware.
Unraveling Vultur’s Infection Method
The infection process begins innocuously enough, with an SMS alert about an unauthorized transaction, urging the recipient to call a number for assistance. This call connects the victim to a scammer who convinces them to follow a link sent via another SMS. This link leads to a fraudulent site offering the doctored McAfee Security app, which harbors the ‘Brunhilda’ malware dropper.
Once the app is installed, it unleashes three Vultur-related payloads that gain access to the device’s Accessibility Services, kick-start the remote control functionalities, and establish a link with the command and control (C2) server. This intricate infection chain is a testament to the malware’s cunning design.
Vultur’s Advanced Arsenal
The latest Vultur variant retains its predecessor’s capabilities, such as screen recording, keylogging, and real-time remote access via tools like AlphaVNC and ngrok. However, it has also evolved to include an array of new functionalities:
- Comprehensive file management options, such as the ability to download, upload, delete, and install files, as well as search for specific files on the infected device.
- Exploitation of Accessibility Services to simulate natural user interactions like clicks, scrolling, and swiping.
- The capability to prevent certain apps from launching, replacing them with custom HTML or a misleading “Temporarily Unavailable” message.
- Crafting custom notifications in the status bar to further deceive the user.
- Disabling Keyguard to circumvent lock screen security, thus gaining unfettered access to the device.
In addition to these features, the malware has incorporated new evasion techniques, such as encrypting its communications with the C2 server and using multiple encrypted payloads that are decrypted as needed. It also disguises its malicious activities by mimicking legitimate applications.
The malware’s use of native code to decrypt payloads presents a significant challenge for reverse engineering efforts and aids in avoiding detection. The developers behind Vultur have clearly prioritized the enhancement of the remote control capabilities, introducing commands for various device interactions and app management.
The rapid development of Vultur’s features suggests that future versions may be even more sophisticated. To protect against such threats, Android users are advised to exercise caution by only downloading apps from trusted sources like Google Play and to be wary of clicking on links in unsolicited messages. Additionally, scrutinizing the permissions requested by apps during installation can help users maintain control over their device’s security and privacy.
