Most Android banking malware uses overlays to fool users into clicking on something they don’t really want to click on. Often, this strategy sends victims to a fake banking login page where the attackers will gather login credentials. These they will quickly use to hack into the target’s bank account.
But this is not what the newest Android malware, Vultur, is doing.To no one’s surprise, the developers of this malware use infected apps on Google Play to get their job done. The apps, themselves, are legitimate. They will work as promised. It’s only that they carry malware which will install itself when the app is installed. In Vultur’s case, the chosen apps deal with fitness and verifying 2FA (two-factor authentication). Here are some of the apps found by Prodaft that were using the Brunhilda dropper which ThreatFabric has subsequently associated with Vultur.
The malware hides on the phone under an icon identified as “Google Activity Tracker”.
Once installed, the malware then ‘listens’ for activity on the phone that may indicate a bank or crypto wallet is being accessed. That’s when it goes to work in setting up a way to steal the login credentials of the victim.
Like most Android malware, Vultur corrupts the phone’s Accessibility Services to its own ends. It watches to see when these are accessed. When the user starts to use a service which is on the malware’s hit list, the malware kicks in. It will do a screen capture, which probably checks to see what bank or crypto currency login page is being accessed, and then starts a keylogger to gather login information. Once it gets these, it sends the information to the hackers.
Although banks and crypto currency sites are the main targets, Vultur is also programmed to get logins for Facebook, TikTok, Messenger, and WhatsApp. In fact, there’s no reason any social media or email site could not be captured with this malware. Selling the credentials alone could make the criminals a good income.
It should be noted that this exploit is just getting started and has not crossed over to the U.S. yet. Here is a graph ThreatFabric gives to show this. The countries show the number of banking applications that were targeted. Crypto currency and social media sites are shown separately.
My guess is that the developers are still testing this malware. If it works, expect it to be more widely employed or sold to other hacking groups.
For the present, Vultur is targeting smaller banks and crypto services in the countries above. However, this is not always the case. Santander and ING bank branches are being targeted, as is HSBC Australia. Among crypto currency sites , Coinbase, Binance, and Crypto.com have been put in the malware’s sights.
So how can you stop getting infected with the Vultur malware? First of all, be careful what apps you download and be careful about giving the app permission to use Accessibility Services. Once installed, Vultur will not let you uninstall the app or mess with its permissions. The app will ask for screen permissions and, in so doing, the downloaded app with Vultur will always be running in the background waiting for the moment when it can descend on its prey.
The operators of the malware control the victim’s phone. They can, if they want, use this phone to make bank transactions remotely. In other words, they could get money transferred to their accounts and even receive an OTP (one-time password) if that is required. If this is the case, the bank will only see a transaction coming from the victim’s phone and it may be difficult to convince the bank that the victim was not at fault. If user negligence is involved in the loss of money, the bank has a reasonable case for not refunding it. It’s simply not true that money stolen by a scammer will always be returned. Each bank has a different policy on this so it makes sense to know their policy in advance.
The malware is such that it could be tweaked to do even more than it is now doing. It could, for example, wait for a biometric login to a banking site before taking control away from or locking out the victim. Such a biometric bypass was used in the Brazil-based CamuBot malware. Just remember, the Vultur attack is a sophisticated attack and should not be taken lightly. Expect it hidden in your local app store soon.