A nasty Android Trojan targeting banking, social media, and cryptocurrency apps steals your information the old-fashioned way: it records everything that happens on your phone's screen.
Named "Vultur" by researchers at ThreatFabric, an Amsterdam-based information security firm, the malware is a banking app from Australia, Italy, Spain, the Netherlands, and the UK, Facebook, WhatsApp, social media apps such as TikTok, and cryptocurrency apps such as Binance and Coinbase. [Vultur is installed on Android phones by a "dropper" called Brunhilda, which is present in several fitness, phone security, and authentication apps, some of which are found in the Google Play store. The infected apps work as expected by the user, but behind the scenes Brunhilda connects to a malware server and downloads Vultur (or other malware).
One of the infected apps, called Protection Guard, logged over 5,000 installs before being removed from Google Play; ThreatFabric estimates that 30,000 phones may have been infected with Brunhilda. As for Vultur in particular, ThreatFabric reports that "the number of potential victims is estimated to be in the thousands."
Most Android banking Trojans steal users' login credentials by creating an "overlay," a fake login screen that appears to belong to a widely used online banking app. But Vultur takes a different approach: it uses remote access technology to record every action the owner of an infected phone makes when using a particular app. It also uses keyloggers to capture user input that does not appear on the screen. [This record is then sent to a server operated by the criminals running Vultur, which can replay screen recordings of the unknowing victim logging into and using Facebook, accessing bank accounts, and making cryptocurrency transactions. Combined with keylog data, the offender can watch a walk-through of the potential victim going about his or her daily business.
Vultur does this by exploiting an Android feature, accessibility services. Accessibility services are features designed to assist users with visual or hearing impairments or those who cannot see the screen. For example, accessibility services allow one app to read out loud what is displayed on another app's screen.
However, accessibility services are often exploited by information-stealing malware because they give apps unusual access to each other, far beyond what is normally allowed in Android. It even uses the "back" button to hijack the screen.
Users can stall Vultur (and many other banking Trojans) by denying infected apps permission to use accessibility services. Vultur often comes in the form of apps that don't really need accessibility services, so detecting it shouldn't necessarily be difficult.
Also, according to ThreatFabric, if Vulture is sending data to a command and control server, you can detect Vulture by seeing an active "cast" icon in your Android notifications. If you are not casting anything, you will see the icon anyway and that is why you should worry .
Another option is to install and use one of the best Android antivirus apps; Brunhilda is a known threat and most antivirus apps will detect it immediately; if Vultur is not already on the list, it should be added soon.
Comments