A recently detected Android malware - called Vultur - spread through the Google Play Store, uses an innovative way to collect login credentials from more than 100 banking and cryptocurrency applications.
Malware, which researchers at security company ThreatFabric calls Vultur, is one of the first Android threats to record a device screen every time one of its targeted applications opens. Vultur uses a true implementation of the VNC screen sharing application to reflect the screen of the infected device on an intruder-controlled server, ThreatFabric researchers say.
The typical way for Android-based bank-fraud malware is to place a window above the login screen displayed by a targeted application. "Overlays", as such windows are commonly called, look identical to the user interfaces of banking applications, giving victims the impression that they are inserting their credentials into a trusted software. Intruders then collect credentials, insert them into an application running on a different device, and steal money.
Vultur, like many Android banking trojans, relies heavily on accessibility services built into the mobile operating system. During the first installation, Vultur abuses these services to obtain the rights required for work. To do this, the malware uses an overlay downloaded from other malware families. Since then, Vultur has been monitoring all requests activating accessibility services.
Malware uses services to detect requests coming from a targeted application. Malware also uses the services to stop the user from using traditional measures to delete the application. Specifically, every time the user tries to access the application details screen in the Android settings, Vultur automatically clicks the back button. This blocks the user from accessing the uninstall button. Vultur also hides its icon.
Another way in which malware stays hidden: the trojanized applications that install it are full-fledged programs that provide real-time services, such as fitness monitoring or two-factor authentication. Despite the overlay attempts, the malware provides at least one warning sign that it is working - whatever trojanized application that Vultur has installed will appear in the Android notification panel as it displays the screen.
Once installed, Vultur starts recording the screen using the VNC application from Alpha VNC. To provide remote access to the VNC server running on the infected device, the malware uses Warmk, an application that uses an encrypted tunnel to expose local systems hidden behind firewalls on the public Internet.
The malware is installed by a trojanized application known as a dropper. So far, ThreatFabric researchers have found two trojanized applications on Google Play that install Vultur. They had a combined approximately 5.000 installations, leading researchers to estimate that the number of Vultur infections is in the thousands. Unlike most third-party malware-based Android apps, Vultur uses a custom dropper called Brunhilda.
The researchers found that Brunhilda was used to install a different Android malware known as Alien. In all, researchers estimate that Brunhilda has infected more than 30.000 devices. The researchers based their assessment on malicious applications previously available on Play Store - some with more than 10.000 facilities each - as well as data from third party markets.
Vultur is programmed to record screens when any of the 103 Android banking applications run in the foreground or cryptocurrency.
In addition to banking and cryptocurrency applications, the malware also collects credentials for Facebook, WhatsApp messenger, TikTok and Viber Messenger.
While Google has removed all Play Market applications that are known to contain Brunhilda. Android users should only install apps that provide useful services and, even then, only apps from reputable publishers when possible. People also need to pay close attention to user ratings and behavior applications for signs of malignancy.
Source of information: arstechnica.com