New bank fraud malware called Vultur infects thousands of devices

New bank fraud malware called Vultur infects thousands of devices

Recently detected Android malware, some spreading through the Google Play Store, uses a novel way to power the harvesting of login credentials from more than 100 banking and cryptocurrency apps.

The malware, which researchers at Amsterdam-based security firm ThreatFabric call Vultur, is among, if not the: First Android threats to record the screen of a device every time one of the target applications is opened. Vultur uses an actual implementation of the VNC screen sharing app to mirror the infected device’s screen to a server controlled by the attacker, ThreatFabric researchers said.



The next level

The typical modus operandi for Android-based bank fraud malware is to overlay a window on top of the login screen presented by a specific application. The “overlay”, as these windows are often called, appears identical to the user interface of the banking application, giving victims the impression that they are entering their credentials into trusted software. The attackers then collect the credentials, enter them into the application running on a different device, and withdraw money.

“Banking threats on the mobile platform are no longer just based on well-known overlay attacks, but are evolving into RAT-like malware, inheriting useful tricks such as foreground app detection to initiate screen recording,” ThreatFabric researchers wrote about Vultur’s new approach in a mail.

They continued:

This takes the threat to another level, as such features open the door to fraud on the device, bypassing MO-based detection of phishing that require fraud to be carried out from a new device: with Vultur, fraud can occur on the infected device of the victim. These attacks are scalable and automated, as fraud actions can be programmed into the malware’s backend and delivered as sequenced commands.

Vultur, like many Android banking Trojans, relies heavily on accessibility services integrated into the mobile operating system. When first installed, Vultur abuses these services to obtain the necessary permits to work. To do this, the malware uses an overlay borrowed from other malware families. From that moment on, Vultur monitors all requests that activate accessibility services.


Stealth and more

The malware uses the services to detect requests that come from a specific application. The malware also uses the services to prevent the user from using traditional measures to remove the application. Specifically, whenever the user tries to access the app details screen in Android settings, Vultur automatically clicks the back button. This prevents the user from accessing the uninstall button. Vultur also hides its icon.

Another way malware stays stealthy: The Trojanized apps that install it are full-featured programs that actually provide real services, like fitness tracking or two-factor authentication. However, despite attempts at cover-up, the malware provides at least a tell-tale sign that it is running: any installed Trojan app, Vultur, will appear in the Android notification panel by projecting the screen.


Once installed, Vultur starts screen recording, using the VNC implementation of Alpha VNC. To provide remote access to the VNC server running on the infected device, the malware uses skirt, an application that uses an encrypted tunnel to expose local systems hidden behind firewalls to the public Internet.

The malware is installed using a Trojan application known as an eyedropper. So far, ThreatFabric researchers have found two trojanized apps on Google Play that install Vultur. They had combined facilities of around 5,000, leading researchers to estimate the number of Vultur infections in the thousands. Unlike most Android malware, which is based on third-party droppers, Vultur uses a custom dropper known as Brunhilda.

“This dropper and Vultur are developed by the same group of threat actors,” the ThreatFabric researchers wrote. “Choosing to develop their own private Trojan, rather than renting third-party malware, shows strong motivation from this group, along with the overall high level of structure and organization present in the bot as well as the server code.”

Researchers found that Brunhilda was used in the past to install different Android banking malware known as Alien. In total, the researchers estimate that Brunhilda has infected more than 30,000 devices. The researchers based the estimate on malicious apps previously available on the Play Store, some with more than 10,000 installations each, as well as figures from third-party markets.

Vultur is programmed to record screens when any of Android’s 103 banking or cryptocurrency apps are running in the foreground. Italy, Australia and Spain were the countries to which more banking institutions went.


In addition to banking and cryptocurrency apps, the malware also collects credentials for Facebook, Facebook-owned WhatsApp Messenger, TikTok, and Viber Messenger. The collection of credentials for these applications occurs through the traditional keylogger, although the ThreatFabric post did not explain why.

While Google has removed all applications from the Play Market known to contain Brunhilda, the company’s history suggests that new applications with Trojans will likely appear. Android users should only install apps that provide useful services, and even then only apps from recognized publishers, when possible. People should also pay close attention to user ratings and app behavior for signs of malice.

Leave a Reply

Your email address will not be published. Required fields are marked *