Vultur, a new RAT malware, is being downloaded through the Google Play Store. Hacker gangs are using the innovative malware to fine-tune the harvesting of login credentials from more than 100 cryptocurrency, payment platforms, and banking apps.
It was discovered by the Amsterdam-based cybersecurity firm ThreatFabric. Vultur is one of the first Android threats with the ability to copy a device screen when a targeted app is opened.
Researchers at Threatfabric have sent out a warning post They describe how the malware is enabled through the implementation of the VNC screen-sharing application which mirrors the screen of the infected device. And sends the info to the hacker-controlled server.
The malware is “smarter” than previous versions. And it takes the threat to a whole new level.
Vultur is a stealthy attacker
Typical Android-based bank-fraud malware superimposes an identical window over your login screen. The “overlay,” looks identical to the user interface of the banking app. So when users enter login credentials they believe they are using secure software. Then hackers steal the credentials and enter them on a separate device running the app. This allows the attacker to pose as the victim to take your money directly.
“Banking threats on the mobile platform are no longer only based on well-known overlay attacks but are evolving into RAT-like malware, inheriting useful tricks like detecting foreground applications to start screen recording,” ThreatFabric researchers describe the innovations in how Vultur malware operates.
It has stealth features that make on-device fraud easier. Vultur can circumvent phishing MO’s that require the use of two devices. Attacks are automated and can be scripted on the backend of the malware through sequenced commands.
It has a smooth stealthy operation by obtaining permissions when downloaded. This hybrid malware uses an overlay taken from earlier versions of malware. Then it monitors all requests and waits till accessibility services are triggered.
The malware can remain hidden in trojanized apps that are full-featured programs that provide real services. This includes health and fitness tracking or even two-factor authentication.
Vultur can protect itself to prevent the app from being deleted. When the user tries to access the app details screen in the Android settings, Vultur will automatically click the back button. This effectively blocks you from accessing the uninstall button.
It also hides its own icon.
Despite the high-level cloaking when the malware is running the trojanized app, that installs Vultur, will appear in the Android notification panel as projecting the screen.
Android users be aware! Only install apps you need from well-known creators. Before downloading research user ratings and see what other users have to say.