Published: September 07, 2021 on our newsletter Security Fraud News & Alerts Newsletter.
A new RAT (Remote Access Trojan) found hiding in apps on Google Play Store has capabilities that shocked those who discovered it. Dubbed Vultur, it’s a banking malware found by ThreatFabric earlier this year that targets banking apps and cryptocurrency wallets in particular, but harvests other PII (personally identifiable information) as well. Vultur also hides in Android mobile apps that include Facebook and Messenger, WhatsApp, Tik Tok, and Viber Messenger. ThreatFabric finds Vultur is a malware to be reckoned with, and Android mobile app fans need to know what to look for when app shopping in the Google Play Store.
What’s In a Name?
ThreatFabric chose the name Vultur based on the large bird of prey. Vultures follow their victims closely from above, watching everything they do. ThreatFabric finds this malware’s biggest threat is stealing data by recording what’s shown on a victim’s mobile device screen, also closely watching everything they do. It also uses keylogging to copy the keystrokes made by the device user.
Combined screen recordings and keylogging are Vultur’s main strategy for stealing banking data and Vultur can also be scaled to size depending on the attacker’s goal. The two features are a real-time way to capture everything needed to perform financial fraud. It records all the PII used on a device, including login data with passwords and access tokens, and usernames for bank accounts and cryptocurrency wallets. Some of the crypto wallet targets are Binance, HitBTC, Coinbase, and Coinbase Pro.
Where Vultur originates, according to ThreatFabric’s Mobile Threat Intelligence Portal, is when it’s loaded onto a victim’s phone using infected apps from the Google Play Store. They believe Vultur is based on a connection to a well-known dropper named Brunhilda. Dropper malware is designed to carry and conceal malicious programs to a device using built-in code. They’re difficult to detect by most virus scanners, which explains how Vultur escapes Google Play Store’s scanning apps for viruses before making them available.
Keep Vultur Grounded
Don’t use apps from third party app stores, otherwise known as “sideloading.” These sites rarely, if ever, scan apps for malware before making them available.
Use apps from known and trusted developers. Always read app reviews before downloading as they can point out troublesome issues. However, users should know that some reviews can be faked.
Pay attention to pop-up windows during download that ask for permission to data and device features not necessary for the app to run.
Use trusted antivirus solutions on all devices as they can alert you to viruses before downloading.
Keep your mobile device operating system and other software updated. Updates typically have fixes for security bugs.
Keep up to date: Sign up for our Fraud alerts and Updates newsletter
Want to schedule a conversation? Please email us at firstname.lastname@example.org