A new form of Android malware called Vultur uses device screen recording and keylogging to snatch login credentials from banking and cryptocurrency applications.
Vultur was first detected by the Amsterdam-based cybersecurity research company ThreatFabric in late March. The malware got its name due to its full visibility on the targeted device through Virtual Network Computing or VNC.
The malware is the first Android banking trojan relying on screen recording and keylogging as the main attack strategy. So far, these trojans have mainly used HTML overlay approaches for stealing data. Overlay attacks present victims with a fake interface that looks identical to their banking app. Believing they’re accessing a secure application, the victim types in their credentials, providing hackers with full access to their financial accounts in the process.
The new approach has the same results but requires substantially less time and effort, enabling automatic credential harvesting on a large scale. Vultur is part of an emerging family of malware referred to as Remote Access Trojan or RAT.
It’s mainly distributed via Google Play, where attackers use the Brunhilda malware dropped framework to place the trojan on the app store. Malware is often placed within utility applications like fitness apps and 2FA authenticators. These apps usually perform their marketed functions but also install the malware on your device.
Once installed, Vultur exploits Accessibility Services to obtain system permissions. Then, it initiates a screen recording session using VNC from the AlphaVNC app. Additionally, Vultur prevents the user from uninstalling the infected app by hiding its icon or automatically clicking ‘Back’ whenever you head to the installation screen. However, you can notice the malware through the Android panel notification informing you that screen recording is on.
So far, two droppers containing Vultur were found on Google Play, with those apps having 5,000+ downloads. According to ThreatFabric, the same hacker group is behind both Vultur and the Brunhilda dropper. Google has already removed the apps from the store, but new trojanized apps will probably appear in the future.
As Android is infamously vulnerable to cyberattacks, users should make sure they’re using top-class antivirus software to protect their devices.