- ThreatFabric has discovered a new Android banking trojan, Vultur.
- Vultur is more advanced than other Android banking trojans as it uses screen recording to steal login credentials.
- This
malware has been used to target banking applications and crypto wallets as well.
According to ThreatFabric, Vultur is the first Android banking trojan it discovered that uses both screen recording and keylogging as its main strategy to get access to a user’s login credentials. Other Android banking trojans go for the usual process of the HTML overlay strategy that takes more time and effort to steal sensitive data.
The Vultur malware was found in at least two dropper apps with one having more than 5,000 installations on the Play Store. ThreatFabric estimates the number of potential victims to be in the thousands. This malware mostly targeted banking institutions in Italy, Australia and Spain. Crypto wallets were also targeted, it added.
How Vultur works
Vultur relies on Accessibility Services to operate on Android smartphones. It uses VNC (Virtual Network Computing), a software used to remotely control another computer, to screen record everything that happens on the victim’s phone. It can even detect when the victim is using an app that is from the list of targeted apps so that it can initiate the screen recording process. ThreatFabric noted that when the screen recording is going on, the notification panel will show “Projection Guard” under the casting icon.
How Vultur is different from other Android banking trojans
The approach Vultur uses to harvest login credentials is different from other Android banking trojans. In most cases, the regular Android banking trojan tricks victims into entering their credentials in what they think is an authentic banking app and then giving access to the attackers. Vultur, on the other hand, uses screen recording thereby easily gaining access to the login credentials without having to use any other tricks.
The discovery of this malware showed that Android banking trojans have become far more advanced, and it is now easier for attackers to get access to login credentials. ThreatFabric wants that mobile
SEE ALSO:
Gmail blocks more than 100 million phishing attempts, Google Play scans 100 apps for malware everyday, says Google
Android apps with over 5.8 million downloads caught stealing users’ Facebook passwords