This notorious Android banking Trojan allows hackers to take remote control of your phone

This notorious Android banking Trojan allows hackers to take remote control of your phone

[One of the most advanced Android banking Trojans has been upgraded with a new feature that allows remote control of infected devices [First discovered by security firm ThreatFabric in 2021, Vultur was one of the first banking Trojans that could record the screen of an infected Android smartphone Since then, the creators of this Android malware have updated it to more dangerous malware [As reported by SecurityWeek, Vultur has added new technical features that further improve its ability to evade detection The malware was initially distributed using a malicious app from the Google Play store, but NCC Group security researchers recently used a new distribution method to trick unsuspecting users into installing this malware on their best Android phones and observed an entirely new campaign

Here is everything you need to know about the Vultur banking Trojan and some tips and tricks to prevent hackers from taking over your phone

Instead of infecting users through a malicious app, this new campaign uses a hybrid attack that starts with a text message, followed by a phone call or even another text message

In their report, security researchers at the NCC Group explain that this hybrid attack begins with a text message instructing potential victims to call a certain number if they did not authorize a large transaction from their bank account Although the transaction never actually took place, the message provides enough of a sense of urgency to trick the user into calling that number

If the user calls to inquire about a large transaction, a second text message is sent during the call This text message contains a link to a Trojanized version of the McAfee security app, which the user is coerced into installing on his or her smartphone While the app itself appears legitimate, it actually contains the Brunhilda dropper, which is used to download the Vultur banking Trojan

The malware is downloaded in three separate payloads, which are combined on the targeted Android smartphone Once installed, the hackers behind this campaign have full control over the infected device

The Vultur banking Trojan was dangerous enough when it was first observed, but now has even more features that hackers can use in their attacks

For example, the malware can download, upload, delete, install, and search for files on infected Android smartphones, but it can also prevent the app from running in the first place Similarly, it can display custom notifications in the status bar and disable key guards that can bypass the lock screen However, the new remote control feature is by far the most interesting

Vultur uses AlphaVNC and ngrok for remote access functions, as it did in 2021, but hackers can now send commands to infected smartphones to scroll, swipe gestures, click, mute/unmute device audio and more

Like other Android malware, Vultur exploits the operating system's accessibility services to gain further control over infected devices The cybercriminals behind this banking Trojan also leverage Google's own Firebase Cloud Messaging (FCM) service to send messages from the command and control (C2) servers they control to infected phones

Normally, a hacker would need a continuous connection to an infected device in order to control it With FCM, however, commands can be sent even when the connection to the device is broken; AlphaVNC and ngrok still require a continuous remote connection, but this new feature provides more flexibility and makes it easier for hackers to introduce this malware into their attacks The new features are

In addition, the newly added file manager feature allows hackers more control over infected Android smartphones

Normally, we would tell you to avoid low-rated Android apps and avoid sideloading apps if you want to keep yourself safe from malware, but this campaign is a little different

It is similar to a phishing attack because it starts with an urgent message from an unknown sender In cases like this, you need to remain calm and not let your emotions get the better of you Instead of reacting immediately to the message, or even not reacting at all, the first thing to do is to check your bank account to see if this large transaction actually happened Then it will turn out that it did not, and you can safely ignore the message

At the same time, you never want to call a hacker when they text or email you their number Automated email security checks prevent many messages from hackers from getting through If you're talking on the phone, it's easy to get them to do something they don't necessarily want

To protect yourself from Trojanized apps like the one used in this attack, you need to make sure that Google Play Protect is installed and enabled on your Android smartphone These days, it is pre-installed on most Android phones In addition, Android antivirus apps are frequently updated, and many include security features such as VPNs and password managers

In an email to Tom's Guide, a Google spokesperson offered further insight into how the search giant is working to keep Android users safe from the Vultur malware, saying: "Android users are automatically protected from known versions of this malware by Google Play Protect, which is turned on by default on Android devices with the Google Play service Google Play Protect works maliciously Google Play Protect can warn or block users against apps that are known to behave maliciously

Even as Google and other companies improve their technology to repel attacks like this one, hackers will continue to develop new ways to trick users into installing malware on their smartphones For this reason, one must be especially careful when installing new apps and avoid at all costs those that must be installed manually

Categories