Security researchers have discovered a new version of the Vultur banking trojan that is posing as a security to steal data from Android users. Researchers claim that the latest version of the malware includes more advanced remote control capabilities and an improved evasion mechanism.
A report from Fox-IT (spotted by Bleeping Computer), which is part of the NCC Group has warned users that cybercriminals are spreading new, more evasive version of Vultur to victims through a hybrid attack. This type of attack relies on “smishing” (SMS phishing) and phone calls that trick their targets into installing a version of the malware that poses as the McAfee Security app.
How the new version of Vultur is more dangerous
The report revealed that the infection chain of the latest version of Vultur starts with the victim receiving an SMS message alerting them of an unauthorised transaction and instructing them to call a provided number for guidance. As the victim follows the instructions, the call is answered by a fraudster who then persuades the victim to open the link which arrives with a second SMS. Clicking on this link then directs the victims to a site that offers a fake version of the McAfee Security app
The modified version of the McAfee Security app includes the ‘Brunhilda’ malware dropper. Once installed, the fake app decrypts and executes three Vultur-related payloads (two APKs and a DEX file) that can obtain access to the Accessibility Services, initialise the remote control systems and establish a connection with its command and control (C2) server.
Compared to old variants, the latest version of Vultur comes with a range of new features, which include:
- File management actions that can download, upload, delete, install and find files on the device.
- Using Accessibility Services to perform clicks, scrolling and swiping gestures.
- Blocking specific apps from executing on the device, displaying custom HTML or a “Temporarily Unavailable” message to the user.
- Misleading victims by displaying custom notifications in the status bar
- Disabling the Keyguard to bypass lock screen security and gain unrestricted access to the device.
Apart from these features, the latest version of Vultur also includes new evasion mechanisms, like encrypting its C2 communications (AES + Base64), using multiple encrypted payloads that are decrypted when needed and performing its malicious activities under the guise of legitimate apps.Moreover, the malware also uses native code to decrypt the payload. This makes the reverse engineering process more difficult and helps it to evade detection.