[ad_1]
The Android banking Trojan known as Vultur has re-emerged with a set of new features and improved anti-analysis and evasion techniques that allow operators to remotely manipulate mobile devices and collect sensitive data. I did.
“Vultur also encrypts C2 communications and uses multiple encrypted payloads that are decrypted on the fly to perform malicious actions under the guise of a legitimate application,” said NCC Group researcher Joshua Kampf. “They are starting to disguise more malicious activity by doing so.” Report released last week.
Vultur was first made public in early 2021, and the malware was able to leverage Android’s accessibility APIs to perform malicious actions.
The malware has been observed to be distributed via a Trojanized dropper app on the Google Play Store, disguised as an authenticator or productivity app to trick unsuspecting users into installing it. I am. These dropper apps are provided as part of a dropper-as-a-service (DaaS) operation called Brunhilda.
Other attack chains observed by NCC Group include droppers that are spread using a combination of SMS messages and phone calls, a technique known as telephone-directed attack delivery (TOAD), which ultimately results in malware updates. Provide the version.
“The first SMS message directs the victim to the phone,” Kampf said. When the victim calls that number, the scammer provides the victim with her second SMS containing a link to the dropper. [legitimate] McAfee security app. ”
The initial SMS message aims to induce a false sense of urgency by instructing the recipient to call a number that authorizes a non-existent transaction involving a large amount of money.
Upon installation, the malicious dropper executes three associated payloads: two APKs and one DEX file. These payloads register the bot with the C2 server, obtain accessibility service permissions for remote access via AlphaVNC and ngrok, and execute commands retrieved from the C2 server.
One of the notable additions to Vultur is the ability to remotely interact with infected devices through Android’s accessibility services, including clicking, scrolling, and swiping, as well as downloading, uploading, deleting, installing, and searching files. is what you can do.
Additionally, the malware has the ability to prevent victims from interacting with a predefined list of apps, display custom notifications in the status bar, and bypass lock screen security measures by disabling Keyguard. is also equipped.
“Vultur’s recent developments demonstrate a shift in focus to maximizing remote control of infected devices,” Kampf said.
“With the ability to issue commands like scrolling, swipe gestures, clicks, volume adjustments, blocking apps from running, and even incorporating file manager functionality, the primary goal is to gain complete control over a compromised device. It is clear that this is the case.”
This development comes as Team Cymru revealed that the Android banking Trojan Octo (also known as Coper) has moved to malware-as-a-service operations, offering its services to other information-stealing actors. It was done in response.
“This malware offers a variety of advanced features, including keylogging, intercepting SMS messages and push notifications, and controlling the device screen,” the company said.
“Various injects are used to steal sensitive information such as passwords and login credentials by displaying fake screens and overlays. Additionally, they use VNC (Virtual Network Computing) for remote access to devices. We will utilize this information to strengthen our monitoring capabilities.”
The Octo campaign is estimated to have compromised 45,000 devices, primarily across Portugal, Spain, Turkey, and the United States. Some of the other victims are in France, the Netherlands, Canada, India and Japan.
The findings point to a new campaign targeting Android users in India, distributing malicious APK packages masquerading as online booking, billing, and courier services via malware-as-a-service (MaaS) services. This was followed by the appearance of
Broadcom Inc.’s Symantec said in a bulletin that the malware “targets stealing banking information, SMS messages, and other sensitive information from victims’ devices.”
[ad_2]
Source link
