cybersecurity spyware

Vultur: A new banking Trojan on Android

Capturing your credentials as you log on to apps, Vultur uses screen recording to gain access your bank and social media accounts.

What is Vultur?

Discovered by Amerstam-based security outfit, ThreatFabric, Vultur is the name they’ve given to a new type of Android banking-fraud malware that harvests banking, social media and messaging login credentials using screen recording and keylogging.

The name symbolises the all-seeing eye of the scavenging vulture, with the V also representing VNC – a screen recording system used by Vultur to steal usernames, passwords and access tokens.

What damage can it do?

Vultur is a banking-fraud Trojan, so if you’re infected, and use one of the targetted banking apps, your credentials may have been compromised. The attacker may be able to log in to your bank accounts as you, and so can transfer money to another account. Other targetted apps in Vultur’s list include email and social media, so these accounts may also be compromised, revealing personal and sensitive information to the attacker.

Even if the attacker doesn’t act on the stolen credentials themselves, your data may be sold to other threat actors, so even if you don’t see any suspicious activity on your accounts right now, you should still change your passwords, clean up your phone and tablets, and set up biometric access to apps where possible.

How does it work?

The threat group behind Vultur have chosen to avoid the time-consuming method of credential harvesting we usually see in Android banking Trojans. That is, to present an “overlay” on top of a banking app, mimicking the login page and capturing the credentials as they’re entered.

Instead, Vultur simply records the screen and sends that to the attacker. It uses VNC screen-sharing implementation to “mirror” the screen of the infected devices to the attacker’s server – recording the device’s screen whenever one of the target banking apps is opened.

“Banking threats on the mobile platform … are evolving into RAT-like malware, inheriting useful tricks like detecting foreground applications to start screen recording.”


Relying heavily on Accessibility Services, Vultur gains all the permissions it needs to check an application against its list of target apps, and to start screen recording or keylogging. As well as hiding its app icon to avoid detection, it also prevents the user deleting the infected app from the device using the usual “uninstall” method by employing a tricksy back button when a user gets to the app details screen.

How is it spread?

ThreatFabric believes that Vultur was developed by the same threat actor group behind Brunhilda, a dropper that has been found distributing malware in Google Play apps.

Vultur itself has been detected by ThreatFabric in two (so far) apps on the Play store: Protection Guard and Authenticator 2FA.

The most widely affected countries so far have been Australia, Italy and Spain, with most banking apps for those countries listed as a target, such as HSBC Australia, Santander, BBVA Spain, and also many crypto-wallets. Apps that prompt Vultur’s keylogging include WhatsApp, Facebook, Viber and TikTok.

See the full list of screen recording and keylogging targets

There was a problem adding you to the newsletter. Please check your email address and try again.

There was a problem adding you to the newsletter. Please try again later.

Congratulations, you have successfully joined our newsletter!

How to protect yourself

Because Vultur hides the infected app icons it can be tricky to spot on your device. Use mobile threat detection like Trustd for Android and look through the list of apps. All apps – even the “hidden” ones will appear here. Keep an eye out for the two known infected apps – Protection Guard and Authenticator 2FA. Be aware though, that others may be discovered in the future.

Luckily, Trustd also has a screen recording alert – so if an app starts recording your screen (or indeed, using other permissions like accessing the camera or microphone) we alert you straight away. Although Android doesn’t allow us to see the exact app that caused the alert, we list the potential culprits in order of probability, so you can start removing any you don’t recognise or restricting their permissions.

With regards to removing the app, we mentioned earlier that Vultur makes it particularly difficult for users to uninstall it. The Trustd app can guide you through removal of infected apps.

If you think you may have been affected by Vultur, or any other mobile malware

  1. change your passwords to your critical apps like email, banking, wallets, social media;
  2. clean up your phone and tablets with an app like Trustd; and
  3. set up biometric access to apps where possible.

And finally, ThreatFabric has a message for financial institutions too:

As the mobile channels of financial institutions continue to grow, mobile banking malware will only become more popular. Besides a steep increase in mobile malware volumes targeting banking apps last and this year, we see mobile malware becoming more and more sophisticated enabling hard-to-detect large scale attacks.


Download Trustd for Android