The Android banking trojan Vultur has returned with new capabilities and enhanced methods to evade analysis and detection, allowing hackers to remotely access a mobile device and collect sensitive data.
“Vultur has upgraded its malicious activities by encrypting its communication, using encrypted payloads that are decrypted in real-time, and disguising itself as legitimate applications,” said NCC Group researcher Joshua Kamp in a recent report.
First discovered in early 2021, Vultur exploits Android’s accessibility services APIs to carry out malicious actions.
The malware is distributed through trojanized apps on the Google Play Store, pretending to be authenticator and productivity apps to deceive users into installing them. These apps are part of a dropper-as-a-service (DaaS) operation called Brunhilda.
According to NCC Group, the malware is spread through a combination of SMS messages and phone calls, known as telephone-oriented attack delivery (TOAD), to deliver an updated version of the malware.
The malware tricks victims by inducing a false sense of urgency to authorize a non-existent transaction involving a large sum of money through SMS messages and phone calls.
Upon installation, the malicious dropper executes three payloads that register the bot with the C2 server, gain accessibility permissions for remote access, and carry out commands from the C2 server.
Vultur now has the ability to remotely interact with infected devices, performing various actions like clicks, scrolls, swipes, file operations, and app manipulation.
Additionally, the malware can block specific apps, display custom notifications, and disable Keyguard to bypass lock screen security measures.
Recent developments in Vultur show a focus on gaining more control over infected devices through remote commands for various actions.
This shift aligns with the Octo Android banking trojan transitioning to a malware-as-a-service operation, offering advanced features like keylogging, message interception, and screen control.
Octo has compromised thousands of devices, primarily in Portugal, Spain, Turkey, and the U.S., with additional victims in other countries.
Furthermore, a new campaign targeting Android users in India distributes malicious APK packages through MaaS, aimed at stealing sensitive information from victims.
These developments underscore the evolving threat landscape and the need for heightened cybersecurity measures to protect against sophisticated malware attacks.