[UPDATED] Android malware ‘Vultur’ gets even nastier with remote access

Hotstar in UAE
Hotstar in UAE

UPDATE: A Google spokesperson reached out with a comment regarding the ‘Vultur’ Android malware. The company said the following: “Android users are automatically protected against known versions of this malware by Google Play Protect, which is on by default on Android devices with Google Play Services. Google Play Protect can warn users or block apps known to exhibit malicious behavior, even when those apps come from sources outside of Play”.

According to SecurityWeek’s latest post, Android’s banking malware, AKA Vultur, has emerged again with a major update that gives it extensive capability to interact with infected devices and manipulate files. Vultur initially surfaced in March 2021 when the malware infected genuine applications such as AlphaVNC and ngrok to remote access VNC servers located on victim devices thus enabling screen recorder and keylogger for credential theft.

Upgraded Android trojan Vultur can now take full control of infected devices and access its files

The recent edition of Vultur further advances its features and now allows full control over compromised machines. These include interference with applications, custom notification posting, bypassing lock-screen protections, and manipulating files by downloading, uploading, installing, searching, or deleting.

Although NCC Group’s report indicates that this malware chiefly relies on AlphaVNC and ngrok for remote access, its latest version comes with enhanced anti-analysis and detection evasion mechanisms. These involve multiple payloads, changing innocent apps, native code for payload decryption, and AES encryption for command-and-control (C&C) communication.

Normally an SMS message pings the victim requiring them to immediately call a specific number to deal with an unauthorized transaction. Soon after that, another SMS reaches the device containing a malicious URL pointing to a tampered McAfee Security package which serves as the dropper of the malware itself.

Under the dropper framework called Brunhilda, Vultur consists of three components called payloads which aim to facilitate subsequent stages of execution. With these payloads in place, Vultur can get Accessibility Service privileges, set up AlphaVNC & ngrok, and perform core backdoor functionality.

With remote control, attackers can also perform gestures and lock you out of the device

To support remote interaction, Vultur now contains seven new C&C methods allowing attackers to perform different actions like clicks, scrolls, and swipe gestures. When talking about Firebase Cloud Messaging (FCM), there are also 41 new commands making use of those privileges, and SMS communication allows opportunities without permanent connections between sources.

Also, the latest edition of Vultur takes away user’s ability to interact with certain applications. In short, the updated Vultur poses a significant danger to Android users as it now contains remote control over infected devices and manipulates files. Hence, NCC advises Android owners to remain cautious.

2024-04-03 15:08:59