The Android banking Trojan known as Vultur has resurfaced with a suite of new features and improved anti-analysis and detection evasion techniques, allowing its operators to remotely interact with a mobile device and collect sensitive data.
“Vultur has also begun to mask more of its malicious activity by encrypting its C2 communications, using multiple encrypted payloads that are decrypted on the fly, and using the masquerade of legitimate applications to carry out its malicious actions,” said researcher Joshua Kamp of the NCC group. a report released last week.
Vultur was first revealed in early 2021, with malware capable of exploiting Android Accessibility Services APIs to carry out its malicious actions.
The malware has been observed to be distributed via trojanized app droppers on the Google Play Store, masquerading as authentication and productivity apps to trick unwitting users into installing them. These dropper apps are offered as part of a dropper-as-a-service (DaaS) operation called Brunhilda.
Other attack chains, as noted by NCC Group, involve spreading droppers using a combination of SMS messages and phone calls – a technique called Telephone-Oriented Attack Delivery (TOAD) – to ultimately serve up an updated version of the malware.
“The first SMS message guides the victim to a phone call,” Kamp said. When the victim calls the number, the scammer provides the victim with a second SMS that includes the link to the dropper: a modified version of the [legitimate] McAfee Security application.”
The initial SMS message aims to induce a false sense of urgency by instructing recipients to call a number to authorize a non-existent transaction involving a large sum of money.
Upon installation, the malicious dropper executes three related payloads (two APKs and one DEX file) that register the bot with the C2 server, obtain accessibility services permissions for remote access via AlphaVNC and ngrok, and execute fetched commands from the C2 server.
One of Vultur’s most notable additions is the ability to remotely interact with the infected device, including clicking, swiping, and swiping, via Android Accessibility Services, as well as download, upload, delete, install, and find files .
Additionally, the malware is designed to prevent victims from interacting with a predefined list of apps, display customized notifications in the status bar, and even disable Keyguard to bypass lock screen security measures.
“Recent Vultur developments have shown a shift in focus towards maximizing remote control over infected devices,” Kamp said.
“With the ability to issue commands for scrolling, swipe gestures, clicks, volume control, blocking app execution, and even integrating file management functionality, it’s clear that the main focus is to gain total control over compromised devices.”
The development comes as Team Cymru revealed the transition of Android banking trojan Octo (also known as Coper) to a malware-as-a-service operation, offering its services to other threat actors to conduct information thefts.
“The malware offers a variety of advanced features, including keylogging, interception of SMS messages and push notifications, and control over the device screen,” the company said.
“It employs various injections to steal sensitive information, such as passwords and login credentials, by displaying fake screenshots or overlays. Additionally, it uses VNC (Virtual Network Computing) for remote access to devices, enhancing its surveillance capabilities.”
The Octo campaigns are estimated to have compromised 45,000 devices, mainly in Portugal, Spain, Turkey and the United States. Some of the other victims are located in France, the Netherlands, Canada, India and Japan.
The findings also follow the emergence of a new campaign targeting Android users in India that distributes malicious APK packages posing as online booking, billing and courier services via a malware-as-a-service (MaaS) offering.
The malware “targets the theft of banking information, SMS messages and other sensitive information from victims’ devices,” Broadcom-owned Symantec said in a statement.