Android Banking Trojan Vultur uses screen recording for credentials stealing

Experts spotted a new strain of Android banking Trojan dubbed Vultur that uses screen recording and keylogging for the capturing of login credentials.

ThreatFabric researchers discovered a new Android banking Trojan, tracked as Vultur, that uses screen recording and keylogging to capture login credentials.

Vultur was first spotted in late March 2021, it gains full visibility on victims’ devices via VNC (Virtual Network Computing) implementation taken from AlphaVNC.

“For the first time we are seeing an Android banking trojan that has screen recording and keylogging as main strategy to harvest login credentials in an automated and scalable way. The actors chose to steer away from the common HTML overlay strategy we usually see in other Android banking Trojans: this approach usually requires more time and effort from the actors in order to steal relevant information from the user. Instead, they chose to simply record what is shown on the screen, effectively obtaining the same end result.” reads the analysis published by ThreatFabric.

Most of the apps targeted by Vultur belong to banks in Italy, Australia and Spain, experts discovered a link with a popular dropper framework called Brunhilda.

The experts found at least 2 dropper applications connected to Vultur, one of them has 5000+ installations from Google Play. Experts believe that the malware has already infected thousands of devices.

Vultur uses ngrok to provide remote access to the VNC server running on the device.

The banking Trojan leverages Accessibility Services to determine what application is in the foreground. If the application is included in the list of apps targeted by Vultur, it will initiate a screen recording session.

The malware appears in the notification panel masqueraded as an app called “Protection Guard.”

Vultur also leverages Accessibility Services to log all the keys pressed on the screen and to prevent manually uninstalling the applications.

The malware also focuses on the theft of crypto-wallet credentials and social media apps.

“The story of Vultur shows again how actors shift from using rented Trojans (MaaS) that are sold on underground markets towards proprietary/private malware tailored to the needs of the actor. It enables us to observe a group that covers both processes of distribution and operation of malicious software.” concludes the report. “Banking threats on the mobile platform are no longer only based on well-known overlay attacks, but are evolving into RAT-like malware, inheriting useful tricks like detecting foreground applications to start screen recording. This brings the threat to another level, as such features open the door for on-device fraud, circumventing detection based on phishing MO’s that require fraud to be performed from a new device”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Android banking malware)

[adrotate banner=”5″]

[adrotate banner=”13″]