Cybersecurity: How New ‘Vultur’ malware is being used to steal banking credentials ─Researchers

*Experts disclose that the new malware, disguised as an app called “Protection Guard” which has garnered over 5,000 installations, uses screen recording features to steal personal information from consumers’ devices

Gbenga Kayode | ConsumerConnect

Experts have alerted consumers of financial products and services in particular to a new Android-based malware found to be using screen recording features to log in, and ultimately steal sensitive information from targeted devices.

The malware, dubbed “Vultur” by researchers at Amsterdam-based security firm ThreatFabric, was reportedly distributed through the Google Play Store, reports CyberNews.

It was gathered that the malware was disguised as an app called “Protection Guard,” which garnered over 5,000 installations.

Researchers stated that the primary targets are banking and crypto-wallet apps from entities located in Italy, Australia, and Spain.

The experts equally disclosed they found that the Remote Access Trojan (RAT) worked by taking advantage of accessibility permissions to capture keystrokes.

It leveraged screen recording features to log all activities on the targeted device, enabling it to steal banking credentials and more.

Abuses accessibility services

When Vultur is first installed, report noted, it abuses accessibility services built into the mobile operating system (OS) in order to obtain the required permissions.

It does so by borrowing an overlay from other malware families. After that, it goes to work monitoring all requests that trigger the accessibility services.

Researchers from ThreatFabric said: “For the first time we are seeing an Android banking trojan that has screen recording and keylogging as the main strategy to harvest login credentials in an automated and scalable way.”

According to them, the tactics employed by the bad actors behind Vultur are a deviation from “the common HTML overlay development we usually see in other Android banking Trojans,” which tends to be a more time consuming way to siphon information.

“Instead, they chose to simply record what is shown on the screen, effectively obtaining the same end result.”

Researchers added that “the story of Vultur shows one more time how actors shift from using rented Trojans (MaaS) that are sold on underground markets towards proprietary/private malware tailored to the needs of this group.

“These attacks are scalable and automated since the actions to perform fraud can be scripted on the malware backend and sent in the form of commands sequence, making it easy for the actor(s) to hit-and-run.”

Kindly Share This Story