Operators of a new Remote Access Trojan (RAT) dubbed Vultur are using screen recording features to steal sensitive information from Android devices, including banking credentials.
The malware uses Virtual Network Computing (VNC) remote screen access technology to monitor users. The malware was distributed through the official Google Play Store and disguised itself as the Protection Guard application with more than 5,000 installations.
“This is the first time we’re seeing a banking Trojan for Android devices that uses screen recording and keyloggers as the primary strategy for collecting login credentials automatically and in a scalable manner. The attackers chose to abandon the general development of HTML overlays, which we usually see in other banking Trojans for Android. This approach usually takes a lot of time and effort for hackers to create multiple overlays that can trick the user. Instead, they decided to just record what is displayed on the screen and get the same end result, ” said researchers at ThreatFabric.
According to experts, recently, operators of banking Trojans are increasingly abandoning tactics using overlay attacks. For example, the operators of UBEL, an updated version of the Oscorp malware, used the WebRTC protocol to interact with a compromised Android phone in real-time. Vultur uses a similar tactic – it takes advantage of access permissions to capture keystrokes and uses VNC’s screen recording feature to discreetly monitor all user activity.
Moreover, the malware uses the cross-platform ngrok utility to connect local servers protected by Network Address Translation (NAT) and firewalls to the Internet via secure tunnels in order to provide remote access to a VNC server running locally on the phone. In addition, the malware establishes connections with the C&C server to receive commands via Firebase Cloud Messaging (FCM) and transfer the stolen data back to the server.
Catch up on more articles here
Follow us on Twitter here