Unfortunately, mobile malware rarely disappears forever, but usually comes back even more powerful. This is the case of Vultur, a banking malware that has been circulating for some time and which seems to be more of a phoenix than a vulture. Its resurgence after its first release in 2021 reveals a new, much more sophisticated version with the same objective: empty our account.
Vultur is Android malware that specializes in hiding in seemingly harmless apps and then taking control of the mobile using accessibility services. A new analysis of the latest variants circulating these days shows malware with even more tools designed for evil
The vulture returns
Fox It security researchers analyzed the latest versions of Vultur malware, first identified in 2021, and found that new versions are even more advanced and reduces distances with other existing similar malware.
Malware normally spreads in curious ways: we receive an SMS informing us that a money transfer has been made from our account and we need to call a phone number to cancel it. When we call, we receive a second SMS to download a so-called security application like McAfee antivirus.
Of course, this is not the real McAfee antivirus, but rather a camouflaged version of the malware that will essentially take over the device. Among its capabilities, it prevents us from opening certain applications or websites “for our security”. With this same excuse, the application guides us to let’s enable accessibility permissions
It is precisely in these accessibility permissions that Vultur has “improved”, since previous versions were based on remote control with AlphaVNC and ngrok. It can still do this, but the new method favored by its developers to steal your data is with Firebase messaging and accessibility permission.
With this method, Vultur has new functions including uploading, downloading, deleting and searching for files, controlling the device remotely by sending gestures, scrolling, clicking or controlling sound, preventing apps from loading, displaying personalized notifications in the bar status or by deactivating mobile security to be able to unlock it without the PIN code.
Additionally, this “vulture” uses new techniques to avoid detection, such as spreading in three stages, using encryption or camouflage by pretending to be legitimate apps like the aforementioned McAfee antivirus or Google’s legendary Talkback.
Vultur’s objective remains: steal our credentials on the banking application to try to empty our account, collecting any other passwords in the process.
The best way to protect yourself against this malware is as follows: never install apps with links sent to us via SMS, regardless of the seriousness and urgency of the matter. And when in doubt, always consult the official source (call our bank).
More information | Fox-it
In Xataka Android | Everything your Android phone does for you so you don’t fall for a scam or get hacked