Today, security researchers have uncovered a new iteration of the Vultur banking trojan for Android devices, which boasts enhanced remote control capabilities and a more sophisticated evasion mechanism.
This discovery comes after the fraud detection company ThreatFabric initially identified the malware back in March 2021. Fast forward to late 2022, and researchers observed its distribution via Google Play through dropper apps. By the end of 2023, mobile security platform Zimperium listed Vultur among the top 10 most active banking trojans of the year, with its variants targeting 122 banking apps across 15 countries.
Now, a recent report from Fox-IT, a part of the NCC Group, has issued a stark warning about the latest version of Vultur. This new variant employs a hybrid attack, leveraging both smishing (SMS phishing) and phone calls to deceive victims into installing what appears to be the McAfee Security app. Little do they know, this app harbors the malicious 'Brunhilda' malware dropper.
So, how does this infection chain unfold? Well, it all begins with an SMS notification alerting the victim of an unauthorized transaction. The victim is then directed to call a provided number for assistance. Upon calling, a fraudster persuades them to open a link sent via another SMS, leading to a site offering a modified version of the McAfee Security app.
Once installed, this trojanized app initiates the execution of three Vultur-related payloads, granting the malware access to Accessibility Services, remote control systems, and establishing a connection with the command and control (C2) server.
But the danger doesn't stop there. This latest version of Vultur retains its core functionalities, including screen recording, keylogging, and remote access via AlphaVNC and ngrok, providing attackers with real-time monitoring capabilities.
Moreover, the new variant introduces a slew of additional features, such as file management actions, utilizing Accessibility Services for gestures, blocking specific apps, displaying custom notifications, and disabling Keyguard to bypass lock screen security.
To make matters worse, Vultur has implemented new evasion mechanisms, encrypting its communications and using encrypted payloads to conceal its malicious activities, making detection and reverse engineering a daunting task for security experts.
As Vultur's developers continue to refine their creation, it's imperative for Android users to exercise caution. Stick to reputable app stores like Google Play, scrutinize app permissions, and refrain from clicking on suspicious links.
0 comments:
Post a Comment