New malware that targets banking apps has been discovered. It is installed through bogus apps on the Google Play Store. Called Vultur, it uses a VNC server to record everything that happens on the screen.
The cybersecurity company spotted a which uses a new technique to steal passwords. Most programs of this type display a page over the banking, prompting the user to enter their credentials. This new malware, called Vultur, is based on a VNC, a technology that allows it to record and broadcast everything that happens on the screen in real time.
Vultur is installed thanks to Brunhildar, a malware contained in fake applications on the Play. Brunhilda is a ” dropper ”, In other words its only function is to allow the installation of other malware. Vultur must obtain to record the screen and perform actions, and for this fools users by displaying an overlay already seen with other malware.
Over 30,000 potential installations
The malware monitors application usage and launches as soon as it detects one of the 103 target applications on its list. It then captures the screen of theas well as all keystrokes to obtain bank identifiers, as well as those of Facebook, Viber and . Vultur is currently targeting applications for banks in Italy, Spain, the Netherlands, UK and Australia. the is based on several legitimate applications, including AlphaVNC for the server , ngrok to make sure the VNC server can be accessed remotely, and Firebase from to be able to receive commands from a control server.
The presence of Vultur is quite easy to detect since the« Caster “In the notification area of indicates that ” Protection Guard »Broadcasts the screen. However, the is difficult to remove since it activates the “Back” function as soon as the smartphone displays the screen allowing it to be uninstalled. The false application Protection Guardwas installed over 5,000 times before being removed from the Play Store. However, ThreatFabric estimates that bogus applications containing Brunhildar, which can install various malware including Vultur, have been installed more than 30,000 times.