New Android Banking Malware Discovered

Vultur could have infected thousands of devices already

A recently discovered banking malware uses a new way to record login credentials on Android devices.

ThreatFabric, a security firm based in Amsterdam, first discovered the new malware, which it calls Vultur, in March. According to ArsTechnica, Vultur forgoes the previously standard way of capturing credentials and instead utilizes virtual network computing (VNC) with remote access abilities to record the screen when a user enters their login details into specific applications.

Someone holds up an Android phone

Daniel Romero / Unsplash

While the malware originally was discovered in March, researchers with ThreatFabric believe they have connected it to the Brunhilda dropper, a malware dropper used previously in several Google Play apps to distribute other banking malware.

ThreatFabric also says that the way Vultur approaches gathering data is different from past Android trojans. It doesn’t superimpose a window over the application to collect the data you enter into the app. Instead, it uses VNC to record the screen and relay that data back to the bad actors running it.

According to ThreatFabric, Vultur works by relying heavily on Accessibility Services found on the Android device. When the malware is started, it hides the app icon and then "abuses the services to obtain all the necessary permissions to operate properly." ThreatFabric says this is a similar method to the one used in a previous malware called Alien, which it believes could be connected to Vultur.

The biggest threat Vultur brings is that it records the screen of the Android device it's installed on. Using the Accessibility Services, it keeps track of what application is running in the foreground. If that application is on Vultur’s target list, the trojan will start recording and will capture anything typed or entered.

An illustration of how Vultur works when installed on Android devices


Additionally, ThreatFabric researchers say vulture interferes with traditional methods of installing apps. Those trying to manually uninstall the application may find the bot automatically clicks the back button when the user reaches the app details screen, effectively locking them out of reaching the uninstall button.

ArsTechnica notes that Google has removed all the Play Store apps known to contain the Brunhilda dropper, but it is possible new apps could appear in the future. As such, users only should install trusted apps on their Android devices. While Vultur mostly targets banking applications, it also has been known to log key inputs for applications like Facebook, WhatsApp, and other social media apps.

Was this page helpful?