Heimdal
Home > Cybersecurity News

New Version of the Vultur Android Banking Trojan Spoofs Security App

The Malware Improved Its Detection Evasion Technique and Remote Control Capabilities.

Last updated on April 3, 2024

article featured image

Contents:

Researchers discovered new version of the Vultur Android banking trojan upgraded its obfuscation and remote control features.

Reportedly, the malware masquerades the McAfee Security app to trick the victim into installing it.

The Vultur banking trojan infection chain explained

The first step of the attack is sending the victim a phishing SMS warning about an authorized transaction. The hackers pressure the target to call a given number for help.

Next, the threat actors get the victim to click a malicious link in another SMS.

The victim lands on a fake McAfee Security app download page. Downloading the forged security app leads to installing the “Brunhilda” malware dropper.

The dropper runs three Vultur payloads (APKs and a DEX file). From then on, the malware can

vultur trojan infection chain

Source: Fox-IT 

What are Vultur’s new technical features?

Researchers say the Android banking trojan uses AES and Base64 encryption to stealthily communicate with its C2. Besides, the new Vultur malware can:

  • Deploy, install and delete files
  • Command the victim’s device to scroll, swipe, click, mute/unmute audio, etc. For this, it uses the Android Accessibility Services
  • Block apps
  • Show a custom notification in the status bar
  • Evade lock screen security measures by disabling Keyguard

How to prevent a Vultur malware infection

Avoid falling victim to the new Vultur banking trojan by following a few cybersecurity best practices:

  • Always download apps from Android’s official app store, Google Play
  • Beware of social engineering and smishing techniques
  • Don’t click on URLs in messages. Use a DNS filtering solution to block communication to and from malicious domains.
  • When installing a new app, only allow those permissions that it needs to work properly. Block access to any other functionality, like accessing the camera or microphone

If you liked this article, follow us on LinkedIn, Twitter, Facebook, and Youtube, for more cybersecurity news and topics.

Author Profile

Livia Gyongyoși

Communications and PR Officer

Livia Gyongyoși is a Communications and PR Officer within Heimdal®, passionate about cybersecurity. Always interested in being up to date with the latest news regarding this domain, Livia's goal is to keep others informed about best practices and solutions that help avoid cyberattacks.

Related Articles

Command-and-Control Servers Explained. Techniques and DNS Security RisksTop 10 Endpoint Security Best Practices That Help Prevent CyberattacksWhat Is Malware? Definition, Types and ProtectionWhat Is DNS Filtering and Why Does Your Business Need It?What Is Smishing?What Is Social Engineering?Phishing attacks explained: How it works, Types, Prevention and StatisticsUnderstanding Remote Access Trojan (RAT): Defining Malware Threats with Heimdal

CHECK OUR SUITE OF 11 CYBERSECURITY SOLUTIONS

SEE MORE
linkedin
youtube
facebook
x

resources

company

newsletter

© 2024 Heimdal®

Vat No. 35802495, Vester Farimagsgade 1, 2 Sal, 1606 København V