Security researchers have found a new version of the Vultur banking Trojan for Android that includes more advanced remote control capabilities and an improved evasion mechanism.
Researchers at fraud detection firm ThreatFabric first documented the malware in March 2021, and in late 2022 noticed it was being distributed through Google Play via dropper apps.
In late 2023, mobile security platform Zimperium listed Vultur among its top 10 banking Trojans of the year, noting that nine of its variants targeted 122 banking applications in 15 countries.
A report from Fox-IT, part of the NCC Group, warns that a new, evasive version of Vultur is spreading to victims through a hybrid attack that relies on smishing (SMS phishing) and phone calls that trick targets into installing a version of the malware posing as an app McAfee Security.
Vultur’s new chain of infection
Vultur’s latest infection chain begins with the victim receiving an SMS alerting them to an unauthorized transaction and instructing them to call a provided number for guidance.
The call is answered by a fraudster who persuades the victim to open a link that arrives with another SMS that leads to a page that offers a modified version of the McAfee Security application
Inside the trojanized McAfee Security application is the ‘Brunhilda’ malware dropper.
Once installed, the application decrypts and executes three Vultura-related payloads (two APKs and a DEX file) that access accessibility services, initialize remote management systems, and establish a connection to the Command and Control (C2) server.
New possibilities
The latest version of the Vultur malware analyzed by researchers retains several key features from older iterations, such as screen recording, keylogging, and remote access via AlphaVNC and ngrok, allowing attackers real-time monitoring and control.
Compared to the old variants, the new Vultur has introduced a number of new features, including:
- File management actions including downloading, uploading, deleting, installing and finding files on the device.
- Using accessibility services to perform clicks, scrolling, and finger gestures.
- Block certain apps from running on the device, display custom HTML or a “Temporarily unavailable” message to the user.
- Displaying custom notifications in the status bar to mislead the victim.
- Disable the keyboard lock to bypass the lock screen security and get unrestricted access to your device.
In addition to these features, the latest version of Vultur also added new evasion mechanisms, such as encrypting its C2 communication (AES + Base64), using multiple encrypted payloads that are decrypted on the fly when needed, and masking its malicious activities under the guise of legitimate application.
In addition, the malware uses source code to decrypt the content, which makes the reverse engineering process more difficult and also helps to avoid detection.
The researchers note that Vultura developers seem to have focused on improving the remote control feature over infected devices with commands to scroll, swipe, click, control volume, and block app launches.
It is clear that the malware author has worked hard to improve the malware’s stealth and add new functions at a rapid pace, indicating that future versions are likely to add more features.
To reduce the risk of Android malware infection, users are advised to download apps only from reputable repositories, such as Android’s official app store, Google Play, and avoid clicking on URLs in messages.
It’s always a good idea to check the permissions an app requires when it’s installed and only agree to those required for the app’s core functionality. For example, a password manager app should not require access to the phone’s camera or microphone.