Android malware comes in all sorts of variations, with myriad degrees of attack sophistication, that do everything from steal specific pieces of information from you to just outright co-opting your computer or mobile device. A new Android Trojan, however, which Amsterdam-based researchers have given the appropriately predatory name of “Vultur,” takes a much more scorched-earth approach to its targets. This nasty malware simply records every single happening on your phone screen. One effect of which is that it’s then a matter of child’s play to target things like your banking and social media apps.
“For the first time,” the researchers at information security firm ThreatFabric write, “we are seeing an Android banking Trojan that has screen recording and keylogging as (the) main strategy to harvest login credentials in an automated and scalable way. The actors chose to steer away from the common HTML overlay strategy we usually see in other Android banking Trojans.”
The latter approach, the researchers continue, usually requires more time and effort to steal user data. What’s happening here is the malware simply records what’s shown on the screen, “effectively obtaining the same end result.”
Android malware Vultur wreaking havoc
Among the key details to know about this latest Android threat:
A “dropper” called Brunhilda is what actually installs Vultur on Android phones. Tom’s Guide notes that the former can actually be found in several fitness, authentication, and phone security apps. And that even some of those have managed to sneak into the Google Play Store.
If you happened to download one of those infected apps, you probably wouldn’t see anything obviously amiss. Behind the scenes, however, Brunhilda “calls home” and downloads the Android malware. And according to ThreatFabric, Brunhilda may have managed to infect an estimated 30,000 phones.
“The story of Vultur shows again how actors shift from using rented Trojans (MaaS) that are sold on underground markets towards proprietary/private malware tailored to the needs of the actor,” the ThreatFabric team adds. “Banking threats on the mobile platform are no longer only based on well-known overlay attacks, but are evolving into RAT-like malware, inheriting useful tricks like detecting foreground applications to start screen recording.”
This, the ThreatFabric team warns ominously, brings the threat to a whole new level. That’s because it paves the way for more on-device fraud. “With Vultur, fraud can happen on the infected device of the victim. These attacks are scalable and automated since the actions to perform fraud can be scripted on the malware back-end. And sent in the form of sequenced commands.”
Here, meanwhile, are important additional details to know. Users can save themselves from a Vultur attack by not letting the infected app use the phone’s Accessibility Services. Also, the “casting” icon should appear in an infected Android device’s notifications when it sends data to its central server. That’s a dead giveaway something is wrong. Provided, of course, you’re not casting anything, but the icon is still there anyway.