Recently detected Android malware, some spread through the Google Play Store, uses a novel way to supercharge the harvesting of login credentials from more than 100 banking and cryptocurrency applications.
The malware, which researchers from Amsterdam-based security firm ThreatFabric are calling Vultur, is among the first Android threats to record a device screen whenever one of the targeted apps is opened. Vultur uses a real implementation of the VNC screen-sharing application to mirror the screen of the infected device to an attacker-controlled server, researchers with ThreatFabric said.
The next level
The typical modus operandi for Android-based bank-fraud malware is to superimpose a window on top of the login screen presented by a targeted app. The “overlay,” as such windows are usually called, appears identical to the user interface of the banking app, giving victims the impression they’re entering their credentials into a trusted piece of software. Attackers then harvest the credentials, enter them into the app running on a different device, and withdraw money.
“Banking threats on the mobile platform are no longer only based on well-known overlay attacks, but are evolving into RAT-like malware, inheriting useful tricks like detecting foreground applications to start screen recording,” ThreatFabric researchers wrote of the new Vultur approach in a post.
This brings the threat to another level, as such features open the door for on-device fraud, circumventing detection based on phishing MO’s that require fraud to be performed from a new device: With Vultur fraud can happen on the infected device of the victim. These attacks are scalable and automated since the actions to perform fraud can be scripted on the malware backend and sent in the form of sequenced commands.
Vultur, like many Android banking trojans, relies heavily on accessibility services built into the mobile OS. When first installed, Vultur abuses these services to obtain the permissions required to work. To do this, the malware uses an overlay taken from other malware families. From then on, Vultur monitors all requests that trigger the accessibility services.
Stealth and more
The malware uses the services to detect requests that come from a targeted app. The malware also uses the services to prevent deletion of the app via traditional measures. Specifically, whenever the user tries to access the app details screen in the Android settings, Vultur automatically clicks the back button. That blocks the user from accessing the uninstall button. Vultur also hides its icon.
Another way the malware remains stealthy: trojanized apps that install it are full-featured programs that actually provide real services, such as fitness tracking or two-factor authentication. Despite the cloaking attempts, however, the malware provides at least one telltale sign that it’s running—whatever trojanized app installed Vultur will appear in the Android notification panel as projecting the screen.
Once installed, Vultur starts the screen recording, using VNC implementation from a well-known Android app (Ars is leaving out the name, but it’s included in the ThreatFabric report). To provide remote access to the VNC server running on the infected device, the malware uses ngrok, an app that uses an encrypted tunnel to expose local systems hidden behind firewalls to the public Internet.
The malware is installed by a trojanized app known as a dropper. So far, ThreatFabric researchers have found two trojanized apps in Google Play that install Vultur. They had combined installations of about 5,000, leading the researchers to estimate that the number of Vultur infections is numbered in the thousands. Unlike most Android malware, which relies on third-party droppers, Vultur uses a custom dropper that has come to be called Brunhilda.
“This dropper and Vultur are both developed by the same threat actor group,” ThreatFabric researchers wrote. “The choice of developing its own private trojan, instead of renting third-party malware, displays a strong motivation from this group, paired with the overall high level of structure and organization present in the bot as well as the server code.”
The researchers found that Brunhilda was used in the past to install different Android banking malware known as Alien. In all, the researchers estimate Brunhilda has infected more than 30,000 devices. The researchers based the estimate on malicious apps previously available in the Play Store—some with more than 10,000 installations each—as well as figures from third-party markets.
Vultur is programmed to record screens when any of 103 Android banking or cryptocurrency apps are running in the foreground. Italy, Australia, and Spain were the countries with the most banking institutions targeted.
Besides banking and cryptocurrency apps, the malware also harvests credentials for Facebook, Facebook-owned WhatsApp messenger, TikTok, and Viber Messenger. Credential harvesting for these apps occurs through traditional keylogging, although the ThreatFabric post didn’t explain why.
While Google has removed all Play Market apps known to contain Brunhilda, the company’s track record suggests that new trojanized apps will probably appear. Android users should only install apps that provide useful services and, even then, only apps from well-known publishers, when at all possible. People should also pay close attention to user ratings and app behavior for indications of malice.