ThreatFabric researchers described a previously undocumented Android remote access trojan (RAT) that steals sensitive information from the device, such as banking credentials, by using screen-recording features.
Researchers dubbed it “Vutur” (corrupted “vulture”) because it can gain full visibility into the target’s activities by using Virtual Network Computing (VNC)’s remote screen-sharing technology.
The threat actor distributed it on Google Play Store as an Android app Protection Guard and tricked thousands of users into installing it.
The primary targets were crypto-wallet and banking apps operating out of Australia, Spain, and Italy.
Researchers note that usually, banking malware uses overlay attacks to trick users into revealing their passwords. This type of attack works by creating a fake version of the bank’s homepage and overlaying it over the legitimate app. However, the threat actor used a novel approach.
“For the first time we are seeing an Android banking trojan that has screen recording and keylogging as the main strategy to harvest login credentials in an automated and scalable way,” researchers from ThreatFabric said in a report.
Instead, the actor simply records what’s shown on the screen.
“The actors chose to steer away from the common HTML overlay development we usually see in other Android banking Trojans: this approach usually requires a larger time and effort investment from the actors to create multiple overlays capable of tricking the user. Instead, they chose to simply record what is shown on the screen, effectively obtaining the same end result.”
Vultur takes advantage of the accessibility permissions to capture keystrokes and secretly records all activities on the phone by abusing VNC’s feature. This eliminates the need to register a new device and effectively avoiding detection by the bank’s security tools.
The malware also uses a cross-platform utility, ngrok, to expose local servers behind NATs and firewalls to the public Internet using secure tunnels.
This utility sends commands to a command-and-control server to receive data and screen captures via a Firebase Cloud Messaging server.
ThreatFabric’s investigation revealed links between Vultur and Brunhilda, a dropper that uses the Play Store to distribute various types of malware.
Researchers believe the operator behind Vultur is a private threat actor that developed its proprietary RAT and a dropper.
“The story of Vultur shows one more time how actors shift from using rented Trojans (MaaS) that are sold on underground markets towards proprietary/private malware tailored to the needs of this group,” the researchers concluded.
