Android malware stealing credentials from more than 100 banking and cryptocurrency apps

by | August 3, 2021 | Cybersecurity News

Android malware comes in a variety of forms, each with varying levels of attack complexity. It may do anything from steal specific pieces of information to completely co-opting your computer or mobile device. However, a new Android Trojan, dubbed “Vultur” by Amsterdam-based researchers, takes a considerably more scorched-earth approach to its targets.

This malicious software records everything that occurs on your phone’s screen. One impact of this is that targeting things like your banking and social networking apps becomes child’s play. Researchers from the information security company, ThreatFabric, noted that:

“For the first time, we see an Android banking Trojan that has screen recording and keylogging as (the) main strategy to harvest login credentials in an automated and scalable way. In addition, the actors chose to steer away from the common HTML overlay strategy we usually see in other Android banking Trojans.”

According to the researcher’s team, the damage was widespread in Italy, Spain, Australia, the UK, and the Netherlands. In addition, malicious hackers have developed a new security threat that steals personal information from Android users who aren’t paying attention.

How does Vultur malware affects Android devices?

  • It captures actions on a mobile device using screen-recording methods and sends them back to the attackers’ servers. When individuals enter into their bank accounts, engage in cryptocurrency trading, or use social media platforms like Facebook, this virus is activated.
  • Vultur is a challenging type of malware to deal with. It infected a number of Google PlayStore fitness, phone security, and authentication apps.
  • Vultur additionally takes advantage of Android’s “Accessibility Services” feature. Users with visual or auditory impairments can use this feature to recognize content on their smartphone screen.
  • Its purpose is to allow an app to read what is currently displayed on the screen. Vultur uses this function to operate systems that steal information.
  • The malware makes use of the services to detect requests from a certain app. The malware also makes use of the services to prevent the program from being deleted using regular methods.
  • Vultur, in particular, hits the back button anytime the user tries to reach the app details screen in the Android settings. The user will be unable to reach the uninstall button as a result of this. Vultur hides its icon as well.

Vultur is installed on Android phones by a “dropper” called Brunhilda. Approximately 30,000 Android-based devices have been infected with Brunhilda to date, according to ThreatFabric, implying that thousands of users have been infected with Vultur.

The ThreatFabric team stated that:

“The story of Vultur shows again how actors shift from using rented Trojans (MaaS) that are sold on underground markets towards proprietary/private malware tailored to the needs of the actor. Banking threats on the mobile platform are no longer only based on well-known overlay attacks, but are evolving into RAT-like malware, inheriting useful tricks like detecting foreground applications to start screen recording.”

The ThreatFabric team ominously warns that this raises the threat to a whole new level. This is because it encourages greater on-device fraud.

“With Vultur, fraud can happen on the infected device of the victim. Furthermore, these attacks are scalable and automated since the actions to perform fraud can be scripted on the malware back-end. And sent in the form of sequenced commands.”

Besides banking and cryptocurrency apps, the software also collects credentials for Facebook, Facebook-owned WhatsApp Messenger, TikTok, and Viber Messenger. Traditional keylogging is used to capture credentials for these apps, although the ThreatFabric report did not explain why.

How you can stop the infection?

It would be best if you disabled the Vultur malware’s App Permissions right away to stop it. To do so, go to “Settings,” “Apps,” and then choose the infected app. Next, toggle off all the choices that appear when you scroll down and open “App Permission.”

After that, you can attempt to uninstall the software. Select the infected up from “Settings,” “Apps.” Before clicking “Uninstall,” “Force Stop” its operation.

Final thoughts

There is a precaution; users should avoid downloading programs or data from suspicious websites. Because hackers are becoming more difficult to detect, it’s important to be vigilant of any strange behaviors on your smartphone. Finally, only install apps and other software from trusted sources.

While Google has removed all known Brunhilda-infected Play Market apps, the company’s track record shows that new trojanized apps will most likely arise. Therefore, Android users should only install apps that provide helpful services and, if at all possible, only apps from well-known publishers. People should also be on the lookout for signs of malice in user ratings and app behavior!


by Andreea Popa

Content writer for Attack Simulator, delivering your daily dose of awareness for cyber security! Love to write passionately about any subject and my mainly inspiration are people's stories. You can also find me on social media, for some more friendly things!

There’s no reason to postpone training your employees

Get a quote based on your organization’s needs and start building a strong cyber security infrastructure today.