IT security researchers at the Amsterdam company ThreatFabric have discovered a previously undocumented Trojan for smartphones with the Android operating system. What is new about malware, christened “Vultur”, is that it uses screen recording functions to spy out sensitive information on the affected cell phones. So far, the attackers have primarily focused on login data including passwords for online banking and for crypto wallets for managing Bitcoin & Co.
Recorded content remotely
According to one, they are affected Report of the online magazine The Hacker News mainly users in Italy, Australia and Spain. ThreatFabric performs under the stated objectives of the records Among other things, the apps from financial houses such as ING, ABN Amro, HSBC, the Italian Post and Volksbank and Santander. There are also special Bitcoin wallets, Coinbase, Kraken and Crypto.com.
Vultur is a so-called Remote Access Trojan (RAT). Such malware is smuggled into a system in order to remotely control it. The programmers at Vultur rely on the functions of Virtual Network Computing (VNC), with which smartphones and other IT devices can be controlled remotely. This specifically relates to the associated options for sharing and recording content that can currently be seen on the screen of the externally controlled system.
Distribution via the Google Play Store
According to ThreatFabric, the malware was distributed via the official Google Play Store and disguised as an app called “Protection Guard”. This has already been installed over 5000 times, so that the number of victims should also be in this size range.
“For the first time we see an Android banking Trojan whose main strategy is screen recording and keylogging in order to access login data in an automated and scalable manner,” explain the security experts. “The actors have decided against the usual HTML overlay development “, which can normally be seen in such digital vermin.
Efficient banking trojan
This approach, which is used for malware such as MysteryBot, Grandoreiro, Banker.BR and Vizom, usually requires more effort, explains the company. Several templates would have to be placed over the actual website and were deceptively similar to it, with which the user could be deceived. Instead, the attackers chose to “simply record what is displayed on the screen in order to effectively achieve the same result”.
The researchers named the spyware in a slightly modified form after the English word for “vulture”. “Just like these big birds, this Trojan watches everything that happens on the devices,” they said. VNC tries to obtain all personal information with which online fraud can be carried out on a large scale. This also included access tokens, for example.
Malware protects itself from being uninstalled
In addition to screen recording and keylogging, the cybercriminals use ThreatFabric services to prevent the user from deleting the application from the device using traditional methods. As soon as the user reaches the page with the application details via the Android settings, the bot automatically clicks the “Back” button. The user ends up back at the main screen for the adjustments, which prevents access to the button for deinstallation.
Vultur also uses ngrok, a cross-platform utility. This is used to release local servers behind network address translations and firewalls via secure tunnels for the public Internet in order to enable remote access to the VNC server running locally on the mobile phone. The malware also connects to a command and control server (C2) to receive commands via Firebase Cloud Messaging (FCM). Their results are then sent back to the server, including extracted data and screen shots.
Cooperation with virus dropper “Brunhilda”
ThreatFabric also links Vultur to another well-known malware called Brunhilda. This is a “dropper”, a virus distributor that loads or packs the actual malicious code from the network. Brunhilda uses the Play Store to distribute various types of malware in what is known as a “dropper-as-a-service” (DaaS) process. The experts discovered overlaps in the source code and the C2 infrastructure that is used for attacks. This indicates that the makers of Brunhilda had developed Vultur as an instrument based on it.
According to ThreatFabric, the case illustrates that attackers are increasingly switching from using leased Trojans, which are offered on underground markets as “Malware-as-a-Service” (MaaS), to proprietary, proprietary malware. The latter is tailored directly to the needs of the cybercrime group. Attacks carried out with it are scalable and can be automated. The actions required to carry out fraud are already programmed into the backend of the malware so that they can be sent in the form of individual command sequences.