Android: The Extremely DANGEROUS Problem That Affects Millions of Phones

A worrying example is the Android banking malware known as Vultur, which has recently demonstrated its ability to evolve, adding new functionality that allows it to interact even more effectively remotely with infected devices. Originally discovered by ThreatFabric in March 2021, Vultur posed an imminent threat to Android device users, specifically targeting banking apps through keylogging and remote control.

Vultur became notable for its innovative use of screen recording capabilities, a first among Android banking malware. Essentially, Vultur (ab)used legitimate software AlphaVNC and ngrok to provide remote access to the infected device’s VNC server, being distributed via a dropper framework called Brunhilda, which facilitated the placement of malicious apps directly into the Google Play Store .

Vultur has recently improved the way it masks its malicious activities. By encrypting C2 communication and using encrypted payloads that are decrypted on the fly, malware has become harder to detect. Furthermore, it has been observed to have a worrying tendency to masquerade as legitimate applications, thus improving its ability to evade detection.

Android: The Extremely DANGEROUS Problem That Affects Millions of Phones

In an attempt to mislead victims, the actors behind Vultur use a hybrid attack, combining SMS messages and phone calls to convince victims to install trojanized versions of security applications such as McAfee Security. This ingenious tactic tricks users into downloading the Brunhilda dropper, which disguises the malware as a legitimate application, thus giving them full control over the infected device.

The latest updates bring significant changes to Vultur’s arsenal, including the malware’s ability to remotely interact with the infected device via Android accessibility services. This new functionality allows the malware operator to execute commands to perform actions on the victim’s device, such as clicks, scrolls, or swipe gestures. It also uses Firebase Cloud Messaging (FCM) to send commands from the C2 server to the infected device, increasing the effectiveness and discretion of the malware’s actions.

Another novelty is Vultur’s ability to prevent the victim from interacting with the applications installed on the device. The malware can specify a list of apps that will be automatically closed when detected running on the device, instead displaying a custom HTML code as a “template” for the blocked apps. This innovative method of control and manipulation increases the ability of threat actors to maintain access and dominance over compromised devices.

These developments underscore the need for constant vigilance and rigorous security practices on the part of Android device users. It is essential that users are aware of potential threats and take preventive measures, such as installing apps only from trusted sources and using high-quality mobile security solutions. In an ever-changing digital world, protection against such sophisticated threats becomes an absolute priority for the safety of personal and financial information.