How can a banal antivirus installation end up stealing funds from all your accounts?
Cybersecurity experts have discovered a new version of the Trojan virus for Android, codenamed Vultur, which has improved remote control capabilities and mechanisms to bypass protection.
The first version of this malware was reported by ThreatFabric back in March 2021, and at the end of 2022, the virus began to spread through dropper apps on Google Play. By the end of 2023, the mobile security platform Zimperium included Vultur in the top ten most active banking Trojans, noting that nine of its variants attacked 122 banking applications in 15 countries.
Fox-IT, a division of the NCC Group, recently released a detailed report on the new version of Vultur, which uses more sophisticated methods of distribution through SMS phishing and calls.
Infection starts with a text message about an unauthorized bank transaction, followed by an offer to call for help. A fraudulent call ends with an offer from the attackers to install a mobile antivirus program to secure their funds. Cybercriminals then send the victim a link to install a supposedly legitimate McAfee Security application, which is actually a disguised Vultur malware.
The new version of Vultur retains the features of previous versions, such as screen recording, keylogging, and remote access, but also adds new features, including file management, using the Android accessibility service to simulate tapping and scrolling, blocking certain apps, and displaying false notifications.
Malware uses sophisticated mechanisms to bypass security, including encrypting communication with the management server and using native code to decrypt the payload, which makes reverse analysis difficult and helps avoid detection.
To minimize the risk of malware infection on Android, it is recommended to download apps only from trusted sources, such as the official Google Play app store, and avoid clicking on links in messages.
It is also important to carefully check the permissions requested by applications and grant access only to those functions that are necessary for their correct operation.
Cybersecurity experts have discovered a new version of the Trojan virus for Android, codenamed Vultur, which has improved remote control capabilities and mechanisms to bypass protection.
The first version of this malware was reported by ThreatFabric back in March 2021, and at the end of 2022, the virus began to spread through dropper apps on Google Play. By the end of 2023, the mobile security platform Zimperium included Vultur in the top ten most active banking Trojans, noting that nine of its variants attacked 122 banking applications in 15 countries.
Fox-IT, a division of the NCC Group, recently released a detailed report on the new version of Vultur, which uses more sophisticated methods of distribution through SMS phishing and calls.
Infection starts with a text message about an unauthorized bank transaction, followed by an offer to call for help. A fraudulent call ends with an offer from the attackers to install a mobile antivirus program to secure their funds. Cybercriminals then send the victim a link to install a supposedly legitimate McAfee Security application, which is actually a disguised Vultur malware.
The new version of Vultur retains the features of previous versions, such as screen recording, keylogging, and remote access, but also adds new features, including file management, using the Android accessibility service to simulate tapping and scrolling, blocking certain apps, and displaying false notifications.
Malware uses sophisticated mechanisms to bypass security, including encrypting communication with the management server and using native code to decrypt the payload, which makes reverse analysis difficult and helps avoid detection.
To minimize the risk of malware infection on Android, it is recommended to download apps only from trusted sources, such as the official Google Play app store, and avoid clicking on links in messages.
It is also important to carefully check the permissions requested by applications and grant access only to those functions that are necessary for their correct operation.
