Hackers have a new tool in their arsenal as one of the most advanced Android banking trojans it has just been upgraded with new features that allow it to remotely control infected devices.
First discovered by security firm ThreatFabric in 2021. Sup was one of the first banking trojans that could record the screen of infected Android smartphones. In the years since, its creators have updated this Android malware to make it even more dangerous.
As reported Safety week, new technical features have been added to Vultur, and the malware is now even better at avoiding detection. Although it was initially distributed using malicious applications in the Google Play Store, security researchers at NCC group recently noticed a brand new campaign that uses a new distribution method to trick unsuspecting users into installing this malware on the best android phones.
Here’s everything you need to know about the Vultur banking trojan along with some tips and tricks on how to avoid hackers hijacking your phone.
Infecting victims with a hybrid attack
Instead of infecting users with malicious apps, this new campaign uses a hybrid attack that starts with a text message, followed by a phone call and another SMS.
In his report, security researchers at NCC Group explain that this hybrid attack begins with a text message that directs potential victims to call a number if they haven’t authorized a large transaction from their bank account. Although this transaction never actually took place, the message creates a a sense of urgency which might be enough to trick users into calling the number.
If they do call to inquire about a large transaction, another text message is sent during the call. It contains a link to a trojanized version of the McAfee Security app that they are forced to install on their smartphone. The app itself looks legitimate at first glance, but it actually contains Brunhilda dropper which is then used to download the Vultur banking trojan.
The malware is downloaded in three separate contents that are combined on the target Android smartphone. Once installed, the hackers behind this campaign gain complete control over the infected device.
An even more dangerous Vulture
The Vultur banking trojan was dangerous enough when it was first spotted, but now it has even more features that hackers can use in their attacks.
For example, the malware can download, install, delete, install and find files on an infected Android smartphone, but it can also prevent applications from running. Likewise, it can display a custom notification in the status bar and even disable the keyboard lock that allows it to bypass your lock screen. However, by far the most interesting are the new remote control options.
Although Vultur still uses AlphaVNC and ngrok for remote access functionality as it did in 2021, the hacker can now send commands to the infected smartphone to perform scrolls, swipes, clicks, mute/unmute the device and more.
Just like other types of Android malware, Vultur abuses the operating system Accessibility services in order to gain even more control over the infected device. The cybercriminals behind this banking trojan also use Google’s Firebase Cloud Messaging (FCM) service for sending messages from command and control (C2) servers that control the infected phone.
Hackers usually need to have a constant connection to the infected device in order to control it. However, by using FCM, they can send a command even if their connection to the device is lost. AlphaVNC and ngrok still require a constant remote connection, but this new feature adds more flexibility while making it easier for hackers who used this malware in their attacks.
The newly added file manager functionality also gives hackers more control over infected Android smartphones as they can remove existing files from the device as well as upload new ones for use in additional attacks.
How to protect yourself from Android malware
Although I would usually tell you to steer clear of Android apps with bad ratings and avoid them side loading apps if you want to protect yourself from malware, this campaign is a little different.
It’s more like a phishing attack since it starts with an urgent message from an unknown sender. In such cases, you must remain calm and not let your emotions get the better of you. Instead of responding to the message immediately or at all, the first thing you should do is check your bank accounts to see if this large transaction actually happened. That would reveal that it wasn’t and you could safely ignore the message.
At the same time, you never want to call the hackers back on the phone when they give you the number, either by text or email. Automated email security checks now prevent many of their messages from getting through, which is why hackers have started trying to trick users into calling them. It’s a lot easier to convince someone to do something they may not want to do when you’re talking to them on the phone.
To protect yourself from trojanized applications like the one used in this attack, you should ensure that Google Play Protect is installed and enabled on your Android smartphone. However, these days most Android phones come pre-installed. For added protection, you should also consider using one of the best antivirus apps for android since they are updated more often and many of them include additional security features like VPN or a password manager.
As Google and other companies get better at defending against attacks like this, hackers will continue to come up with new ways to trick you into installing malware on your smartphone. This is why you need to be extra careful when installing any new apps, avoiding those that you have to manually install at all costs.