Vultur Android Malware Swoops In To Stealthily Steal Banking Credentials

vultur malware discovered stealing banking credentials
Some vultures prey on dead animals, other Vulturs prey on banking information entered on Android devices. In late March of this year, ThreatFabric detected an Android-based remote access trojan (RAT) malware, dubbed Vultur, collecting login credentials. However, the threat actors took a different approach to the thievery by simply recording what is shown on a screen through VNC.

As ThreatFabric describes, a “vulture is a large bird of prey that specializes in attacking and feeding on weak and helpless animals,” and they keep their “eyes on their preys for a long time before making a move, which happens only when they are sure the attack is lethal and successful.” The Vultur malware works similarly, wherein it observes everything happening on a device with screen recording over VNC and keylogging capabilities.

overview 2 vultur malware discovered stealing banking credentials

As time goes on, personably identifiable information (PII) like usernames, passwords, and other information is collected for later malicious use. While this is certainly interesting, ThreatFabric also found that Vultur has ties to older malware.
method 2 vultur malware discovered stealing banking credentials

In late 2020, Bitdefender discovered a malware dropper on the Google Play Store, which was disguised as a variety of utility applications like “fitness apps and 2FA authenticators.” The dropper was then dubbed “Brunhilda,” by researchers over at PRODFRAFT, who did further analysis on this.

compare2 vultur malware discovered stealing banking credentials

Then, following the discovery of Vultur, ThreatFabric researchers looked at code samples of Brunhilda, which looked strikingly similar to code within Vultur. Furthermore, Vultur was found using the same command and control servers as Brunhilda in the past. Thus, it is now believed that the two are “connected and operated by a private group using their own dropper to distribute different malware.”

compare 2 vultur malware discovered stealing banking credentials

Aside from this interesting connection that gives some insight into the business of malware, it also shows the continuing trend of mobile malware infections. ThreatFabric states as much, saying that “As the mobile channels of financial institutions continue to grow, mobile banking malware will only become more popular.”

However, while having mobile financial data is not necessarily bad, everyone needs to be more careful. Moreover, unless companies work harder to secure devices and app stores, we will only see the trend expand exponentially, as it is a good way for a threat actor to make a quick buck.