Hackers, unfortunately, are always coming up with clever new ways to steal or access secure information. Some recently detected Android malware, dubbed Vultur, is using a brazen new method for harvesting login credentials for over 100 banking and crypto apps.
The remote access Trojan (RAT) malware, Vultur, gained its name from Amsterdam-based security firm ThreatFabric. It uses a real implementation VNC screen-sharing to record a device’s screen, key log, and mirror everything back to the attacker’s server. Users unknowingly enter their credentials into what they believe to be a trusted app and the attackers then harvest the info, log into the apps on a separate device, and withdraw the money.
This screen recording method is unlike previous Android banking Trojans, which relied on an HTML overlay strategy. Vulture also heavily relies on abusing the accessibility services on the device’s OS to obtain the necessary permissions that’ll let it access what it needs to execute the credential harvest successfully.
In the report from ThreatFabric, we learned that the threat actors were able to collect a list of the apps Vulture was targeting, which were spread through the Google Play Store. Italy, Spain, and Australia were the regions that had the highest numbers of banking institutions affected by Vultur. Several crypto wallets were also targeted.
“Banking threats on the mobile platform are no longer only based on well-known overlay attacks, but are evolving into RAT-like malware, inheriting useful tricks like detecting foreground applications to start screen recording,” ThreatFabric’s researchers wrote. “This brings the threat to another level, as such features open the door for on-device fraud, circumventing detection based on phishing MO’s that require fraud performed from a new device. With Vultur, fraud can happen on the infected device of the victim. These attacks are scalable and automated since the actions to perform fraud can be scripted on the malware backend and sent in the form of sequenced commands.”
If the user downloads and opens up one of the applications that Vulture is targeting, the Trojan then initiates the screen-recording session. Users that catch on and try to delete the malicious app will quickly find out that they can’t—a bot within the malware automatically clicks the back button and sends the user back to the main settings screen.
The only leg up users have is to pay attention to the notification panel, which will show that an app called “Protection Guard” is projecting the screen. For a more thoroughly detailed write-up on Vultur, we recommend reading through ThreatFabric’s report. Otherwise, remember to only download trusted apps.
via Ars Technica