Vultur, an Android banking trojan, has resurfaced with enhanced remote control and data acquisition abilities.
Joshua Kamp of the NCC Group reported last week that Vultur has also begun disguising more of its malicious activity. The malware uses various techniques to hide its activities, including encrypted communication and using fake applications.
The Vultur malware was first discovered in early 2021. It can exploit Android's accessibility services APIs to perform harmful actions.
It has been noted that trojanized dropper apps on the Google Play Store are used to spread the malware; these apps pose as productivity and authenticator apps to fool unsuspecting users into installing them. These dropper applications are provided as a component of the Brunhilda dropper-as-a-service (DaaS) platform.
NCC Group's observations show that droppers are spread through a combination of SMS messages and phone calls, known as telephone-oriented attack delivery (TOAD). This method eventually leads to an upgraded version of malware.
After installation, the malicious dropper runs three related payloads (two APKs and one DEX file) that register the bot with the C2 server, get permissions for accessibility services so that it can be accessed remotely using ngrok and AlphaVNC, and execute commands that are retrieved from the C2 server.
Vultur can interact with infected devices remotely by downloading, uploading, deleting, installing, and finding files. This includes using Android's accessibility services to perform clicks, scrolls, and swipes.
The malware is designed to prevent victims from using specific apps, display customized notifications on the status bar, and disable the Keyguard to bypass lock screen security.
