‘Vultur’ Android Malware Gets Extensive Device Interaction Capabilities

source: securityweek.com  |  image: pexels.com


The Android banking malware known as Vultur has been updated with new capabilities, allowing operators to interact with the infected devices and modify files, according to a report from security consulting outfit NCC Group.

Vultur was first documented in March 2021, when it stood out for the abuse of the legitimate applications AlphaVNC and ngrok for remotely accessing the VNC server on the victim device, and for automating screen recording and key-logging for credential harvesting.

The most recent version of the banking malware, however, packs significantly more capabilities, allowing attackers to control the infected device, prevent applications from running, display custom notifications, bypass lock-screen protections, and download, upload, install, search for, and delete files.

The new features, according to the NCC Group report, are mostly related to the remote interaction with the infected device, but the malware continues to rely on AlphaVNC and ngrok for remote access.

In addition, Vultur features updated anti-analysis and detection evasion techniques, spreading the malicious code over multiple payloads, modifying legitimate applications, using native code for payload decryption, and relying on AES encryption for command-and-control (C&C) communication.

The infection chain starts with a SMS message instructing the victim to call a phone number to resolve a large transaction that they did not authorize. During the call, a second SMS message that includes a link to a modified McAfee Security package is received.

The modified application contains the functionality of the legitimate McAfee Security software, along with the dropper-framework called Brunhilda, which deploys Vultur via three payloads, the last two designed to invoke each other’s functionality.

The NCC Group report notes that Brunhilda first registers with its C&C server, which delivers the first payload, designed to obtain Accessibility Service privileges and install the next stage. The second payload contains the AlphaVNC and ngrok setup, while the third, a Dalvik Executable (DEX) file, contains the core backdoor functionality.

For remote interaction with the infected device, the malware includes seven new C&C methods, allowing the attackers to perform “clicks, scrolls, swipe gestures, and more”, and 41 new commands related to Firebase Cloud Messaging (FCM), a messaging service provided by Google.

“The message sent by the malware operator through FCM can contain a command, which, upon receipt, triggers the execution of corresponding functionality within the malware. This eliminates the need for an ongoing connection with the device,” NCC Group explains.

The latest version of Vultur can also prevent the user from interacting with applications on the device, which are defined in a list provided by the attacker.

“Android users are automatically protected against known versions of this malware by Google Play Protect, which is on by default on Android devices with Google Play Services. Google Play Protect can warn users or block apps known to exhibit malicious behavior, even when those apps come from sources outside of Play,” a Google spokesperson said in an emailed statement.