Click to Skip Ad
Closing in...

This Android malware steals your data in the most devious way

Published Aug 2nd, 2021 8:12PM EDT
Android malware
Image: James Thew/Adobe

If you buy through a BGR link, we may earn an affiliate commission, helping support our expert product labs.

Android malware comes in all sorts of variations, with myriad degrees of attack sophistication, that do everything from steal specific pieces of information from you to just outright co-opting your computer or mobile device. A new Android Trojan, however, which Amsterdam-based researchers have given the appropriately predatory name of “Vultur,” takes a much more scorched-earth approach to its targets. This nasty malware simply records every single happening on your phone screen. One effect of which is that it’s then a matter of child’s play to target things like your banking and social media apps.

“For the first time,” the researchers at information security firm ThreatFabric write, “we are seeing an Android banking Trojan that has screen recording and keylogging as (the) main strategy to harvest login credentials in an automated and scalable way. The actors chose to steer away from the common HTML overlay strategy we usually see in other Android banking Trojans.”

The latter approach, the researchers continue, usually requires more time and effort to steal user data. What’s happening here is the malware simply records what’s shown on the screen, “effectively obtaining the same end result.”

Android malware Vultur wreaking havoc

Among the key details to know about this latest Android threat:

A “dropper” called Brunhilda is what actually installs Vultur on Android phones. Tom’s Guide notes that the former can actually be found in several fitness, authentication, and phone security apps. And that even some of those have managed to sneak into the Google Play Store.

If you happened to download one of those infected apps, you probably wouldn’t see anything obviously amiss. Behind the scenes, however, Brunhilda “calls home” and downloads the Android malware. And according to ThreatFabric, Brunhilda may have managed to infect an estimated 30,000 phones.

Postscript

“The story of Vultur shows again how actors shift from using rented Trojans (MaaS) that are sold on underground markets towards proprietary/private malware tailored to the needs of the actor,” the ThreatFabric team adds. “Banking threats on the mobile platform are no longer only based on well-known overlay attacks, but are evolving into RAT-like malware, inheriting useful tricks like detecting foreground applications to start screen recording.”

This, the ThreatFabric team warns ominously, brings the threat to a whole new level. That’s because it paves the way for more on-device fraud. “With Vultur, fraud can happen on the infected device of the victim. These attacks are scalable and automated since the actions to perform fraud can be scripted on the malware back-end. And sent in the form of sequenced commands.”

Here, meanwhile, are important additional details to know. Users can save themselves from a Vultur attack by not letting the infected app use the phone’s Accessibility Services. Also, the “casting” icon should appear in an infected Android device’s notifications when it sends data to its central server. That’s a dead giveaway something is wrong. Provided, of course, you’re not casting anything, but the icon is still there anyway.

Andy Meek Trending News Editor

Andy Meek is a reporter based in Memphis who has covered media, entertainment, and culture for over 20 years. His work has appeared in outlets including The Guardian, Forbes, and The Financial Times, and he’s written for BGR since 2015. Andy's coverage includes technology and entertainment, and he has a particular interest in all things streaming.

Over the years, he’s interviewed legendary figures in entertainment and tech that range from Stan Lee to John McAfee, Peter Thiel, and Reed Hastings.