Capturing your credentials as you log on to apps, Vultur uses screen recording to gain access your bank and social media accounts.
What is Vultur?
Discovered by Amerstam-based security outfit, ThreatFabric, Vultur is the name they’ve given to a new type of Android banking-fraud malware that harvests banking, social media and messaging login credentials using screen recording and keylogging.
The name symbolises the all-seeing eye of the scavenging vulture, with the V also representing VNC – a screen recording system used by Vultur to steal usernames, passwords and access tokens.
What damage can it do?
Vultur is a banking-fraud Trojan, so if you’re infected, and use one of the targetted banking apps, your credentials may have been compromised. The attacker may be able to log in to your bank accounts as you, and so can transfer money to another account. Other targetted apps in Vultur’s list include email and social media, so these accounts may also be compromised, revealing personal and sensitive information to the attacker.
Even if the attacker doesn’t act on the stolen credentials themselves, your data may be sold to other threat actors, so even if you don’t see any suspicious activity on your accounts right now, you should still change your passwords, clean up your phone and tablets, and set up biometric access to apps where possible.
How does it work?
The threat group behind Vultur have chosen to avoid the time-consuming method of credential harvesting we usually see in Android banking Trojans. That is, to present an “overlay” on top of a banking app, mimicking the login page and capturing the credentials as they’re entered.
Instead, Vultur simply records the screen and sends that to the attacker. It uses VNC screen-sharing implementation to “mirror” the screen of the infected devices to the attacker’s server – recording the device’s screen whenever one of the target banking apps is opened.
Relying heavily on Accessibility Services, Vultur gains all the permissions it needs to check an application against its list of target apps, and to start screen recording or keylogging. As well as hiding its app icon to avoid detection, it also prevents the user deleting the infected app from the device using the usual “uninstall” method by employing a tricksy back button when a user gets to the app details screen.
How is it spread?
ThreatFabric believes that Vultur was developed by the same threat actor group behind Brunhilda, a dropper that has been found distributing malware in Google Play apps.
Vultur itself has been detected by ThreatFabric in two (so far) apps on the Play store: Protection Guard and Authenticator 2FA.
The most widely affected countries so far have been Australia, Italy and Spain, with most banking apps for those countries listed as a target, such as HSBC Australia, Santander, BBVA Spain, and also many crypto-wallets. Apps that prompt Vultur’s keylogging include WhatsApp, Facebook, Viber and TikTok.
How to protect yourself
Because Vultur hides the infected app icons it can be tricky to spot on your device. Use mobile threat detection like Traced for Android and look through the list of apps. All apps – even the “hidden” ones will appear here. Keep an eye out for the two known infected apps – Protection Guard and Authenticator 2FA. Be aware though, that others may be discovered in the future.
Luckily, Traced also has a screen recording alert – so if an app starts recording your screen (or indeed, using other permissions like accessing the camera or microphone) we alert you straight away. Although Android doesn’t allow us to see the exact app that caused the alert, we list the potential culprits in order of probability, so you can start removing any you don’t recognise or restricting their permissions.
With regards to removing the app, we mentioned earlier that Vultur makes it particularly difficult for users to uninstall it. The Traced app can guide you through removal of infected apps.
If you think you may have been affected by Vultur, or any other mobile malware
- change your passwords to your critical apps like email, banking, wallets, social media;
- clean up your phone and tablets with an app like Traced; and
- set up biometric access to apps where possible.
And finally, ThreatFabric has a message for financial institutions too: