reader comments
44 with 34 posters participating, including story author
Recently detected Android malware, some spread through the Google Play Store, uses a novel way to supercharge the harvesting of login credentials from more than 100 banking and cryptocurrency applications.
The malware, which researchers from Amsterdam-based security firm ThreatFabric are calling Vultur, is among the first Android threats to record a device screen whenever one of the targeted apps is opened. Vultur uses a real implementation of the VNC screen-sharing application to mirror the screen of the infected device to an attacker-controlled server, researchers with ThreatFabric said.
The next level
The typical modus operandi for Android-based bank-fraud malware is to superimpose a window on top of the login screen presented by a targeted app. The “overlay,” as such windows are usually called, appears identical to the user interface of the banking app, giving victims the impression they’re entering their credentials into a trusted piece of software. Attackers then harvest the credentials, enter them into the app running on a different device, and withdraw money.
“Banking threats on the mobile platform are no longer only based on well-known overlay attacks, but are evolving into RAT-like malware, inheriting useful tricks like detecting foreground applications to start screen recording,” ThreatFabric researchers wrote of the new Vultur approach in a post.
accessibility services built into the mobile OS. When first installed, Vultur abuses these services to obtain the permissions required to work. To do this, the malware uses an overlay taken from other malware families. From then on, Vultur monitors all requests that trigger the accessibility services.
Stealth and more
The malware uses the services to detect requests that come from a targeted app. The malware also uses the services to prevent deletion of the app via traditional measures. Specifically, whenever the user tries to access the app details screen in the Android settings, Vultur automatically clicks the back button. That blocks the user from accessing the uninstall button. Vultur also hides its icon.
Another way the malware remains stealthy: trojanized apps that install it are full-featured programs that actually provide real services, such as fitness tracking or two-factor authentication. Despite the cloaking attempts, however, the malware provides at least one telltale sign that it’s running—whatever trojanized app installed Vultur will appear in the Android notification panel as projecting the screen.
Once installed, Vultur starts the screen recording, using VNC implementation from Alpha VNC. To provide remote access to the VNC server running on the infected device, the malware uses ngrok, an app that uses an encrypted tunnel to expose local systems hidden behind firewalls to the public Internet.
Besides banking and cryptocurrency apps, the malware also harvests credentials for Facebook, Facebook-owned WhatsApp messenger, TikTok, and Viber Messenger. Credential harvesting for these apps occurs through traditional keylogging, although the ThreatFabric post didn’t explain why.
While Google has removed all Play Market apps known to contain Brunhilda, the company’s track record suggests that new trojanized apps will probably appear. Android users should only install apps that provide useful services and, even then, only apps from well-known publishers, when at all possible. People should also pay close attention to user ratings and app behavior for indications of malice.