[ad_1]
Security researchers have discovered Vultur, a new version of the Android banking Trojan that includes more advanced remote control capabilities and improved evasion mechanisms.
Researchers at fraud detection firm ThreatFabric first recorded the malware in March 2021 and observed it being distributed on Google Play through dropper apps in late 2022.
At the end of 2023, mobile security platform Zimperium included Vultur in its top 10 most active banking Trojans of the year, noting that nine of its variants targeted 122 banking apps in 15 countries. did.
A new, more evasive version of Vultur is spreading to victims through a hybrid attack that relies on smishing (SMS phishing) and phone calls, tricking targets into using Vultur, reports Fox-IT, part of the NCC Group. If you install a version of Malware masquerading as the McAfee security app.
Vultur’s new infection chain
Vultur’s latest infection chain begins when victims receive an SMS message alerting them to a fraudulent transaction and instructing them to call a designated number for instructions.
The call is answered by a scammer who convinces the victim to open the link received in the second SMS. This link will take you to a site that provides a modified version of the McAfee Security app.
Inside the trojanized McAfee Security app is a “Brunhilda” malware dropper.
Upon installation, the app decrypts and executes three Vultur-related payloads (two APKs and one DEX file) to gain access to accessibility services, initialize the remote control system, and perform command and control (C2 ) Establish a connection with the server.
New features
The latest version of the Vultur malware analyzed by researchers retains some key features of older versions, including screen recording, keylogging, and remote access via AlphaVNC and ngrok, allowing attackers to perform real-time monitoring and It allows for control.
Compared to older variants, the new Vultur introduces various new features, including:
- File management actions such as downloading, uploading, deleting, installing, and searching for files on your device.
- Use accessibility services to perform click, scroll, and swipe gestures.
- Block specific apps from running on the device and display custom HTML or a “Temporarily Unavailable” message to users.
- Displaying custom notifications in the status bar to mislead victims.
- Disabling Keyguard bypasses your lock screen security and gives you unrestricted access to your device.
In addition to these features, the latest version of Vultur also supports encryption of C2 communications (AES + Base64), use of multiple encrypted payloads that are decrypted on the fly if necessary, and malicious intent disguised as New evasion mechanisms have also been added, such as hiding certain activities. of a legitimate app.
Additionally, the malware uses native code to decrypt the payload, making the reverse engineering process more difficult and also helping to evade detection.
Researchers say Vultur’s developers focused on improving remote control capabilities of infected devices using commands such as scrolling, swipe gestures, clicks, volume control, and blocking app execution. It is pointed out that it seems that
It is clear that the malware authors have made efforts to improve the stealthiness of the malware and add new features at a rapid pace, and future versions are likely to add even more features. is shown.
To minimize the risk of malware infection on Android, we recommend that users only download apps from trusted repositories, such as Android’s official app store or Google Play, and avoid clicking URLs in messages. .
We always recommend checking the permissions an app requests during installation and only agreeing to the permissions required for the app’s core functionality. For example, a password management app shouldn’t require access to your phone’s camera or microphone.
[ad_2]
Source link
