Android banking malware AKA Vultur has resurfaced with a major update that gives it ample opportunity to interact with infected devices and manipulate files, according to a recent report from SecurityWeek. Vultur originally appeared in March 2021, when the malware infected genuine applications such as AlphaVNC and ngrok to remotely access VNC servers located on victimized devices, allowing screen recorders and keyloggers to steal credentials.
The upgraded Vultur Android Trojan can now take full control of infected devices and access its files
The latest edition of Vultur further enhances its features and now allows full control of compromised machines. These include interfering with applications, publishing custom notifications, bypassing lock screen protections, and manipulating files by downloading, uploading, installing, searching, or deleting.
Although the NCC Group report notes that this malware relies primarily on AlphaVNC and ngrok for remote access, its latest version has improved anti-analysis and detection mechanisms. These include multiple payloads, innocent app switching, native code for payload decryption, and AES encryption for command and control (C&C) communications.
Usually, via SMS, the victim calls, demanding to call a certain number immediately to deal with an unauthorized transaction. Soon after, another text message reaches the device containing a malicious URL pointing to a corrupted McAfee Security package that serves as a malware extractor.
According to the dropper system Brunhilda, Vultur consists of three components, called payloads, which aim to facilitate subsequent execution steps. Using these payloads, Vultur can gain accessibility service privileges, set up AlphaVNC and ngrok, and perform basic door functionality.
Using the remote control, attackers can also gesture and lock you out of your device
To support remote interactions, Vultur now includes seven new C&C methods that allow attackers to perform a variety of actions such as clicks, scrolls, and swipe gestures. When it comes to Firebase Cloud Messaging (FCM), there are also 41 new teams using these privileges, and SMS communication provides capabilities without constant connections between sources.
In addition, the latest edition of Vultur deprives the user of the ability to interact with certain applications. In short, the updated Vultur poses a significant danger to Android users, as it now has remote control over infected devices and file manipulation. Therefore, the NCC advises Android owners to be cautious.
