Advisory ID: ngCERT-2024-0011
Summary:
A new version of the Vultur banking trojan posing as a security app, authenticator or productivity apps to steal sensitive data and gain total control over compromised android devices has been discovered. The malware has been embedded in over 800 apps on the Google Play Store and many android devices have been compromised. This latest version of the malware includes more advanced remote-control capabilities and an improved evasion mechanism, enabling its operators to remotely interact with a mobile device and harvest sensitive data. This type of attack relies on "smishing" (SMS phishing) and phone calls to trick their targets into installing a version of the malware. Additionally, it can also be distributed via trojanized dropper apps known as Brunhilda.
Damage/Probability: HIGH/HIGH
Platform(s): Android
Description:
The infection chain begins with the victim receiving an SMS message alerting them of an unauthorised transaction and instructing them to call a provided number for guidance. As the victim follows the instructions, the call is answered by a fraudster who then persuades the victim to open the link which arrives with a second SMS. Clicking on this link then directs the victims to a site that offers a fake version of a security app such as McAfee app or other apps such as, My Finances Tracker, RecoverFiles, Zetter Authenticator, etc. Once the app is installed, the fake app decrypts and executes three Vultur-related payloads (two APKs and a DEX file) that can obtain access to the Accessibility Services, initialise the remote-control systems and establish a connection with its command and control (C2) server. In a second infection chain, the malware has been observed to be distributed via trojanized dropper apps on the Google Play Store, masquerading as authenticator and productivity apps to trick unwitting users into installing them. The dropper-framework called Brunhilda is used to deploy Vultur via three payloads, the last two designed to invoke each other’s functionality.
Consequences:
Successful installation of this malware on any android device will allow the attacker to:
- Remotely interact with the infected device, including carrying out clicks, scrolls, and swipes, through Android's accessibility services, as well as download, upload, delete, install, and find files on the device.
- Steal sensitive financial information to carryout transactions on the victim’s devices.
- Use the services to prevent victims from deleting the malicious app via traditional measures. Specifically, whenever the user tries to access the app details screen in the Android settings, Vultur automatically clicks the back button which blocks the user from accessing the uninstall button.
- Prevent the user from interacting with legitimate applications on the device, which are defined in a list provided by the attacker.
Solution:
It is therefore recommended that android users should:
- Avoid calling numbers provided in unsolicited messages or emails.
- Be cautious of links in messages or emails, especially those related to financial transactions.
- Install apps only from trusted sources like the Google Play Store.
- Keep Android device and apps updated to the latest versions.
- Use antivirus software and keep it updated to detect and remove malware.
- Regularly review financial transactions for any unauthorized activity and report it.
References: