New malware that targets banking apps has been discovered. It is installed through bogus apps on the Google Play Store. Called Vultur, it uses a VNC server to record everything that happens on the screen.
You will also be interested
[EN VIDÉO] What is a cyberattack? With the development of the Internet and the cloud, cyber attacks are more and more frequent and sophisticated. Who is behind these attacks and for what purpose? What are the methods of hackers and what are the most massive cyber attacks?
The cybersecurity company ThreatFabric spotted a banking malware which uses a new technique to steal passwords. Most programs of this type display a page Web over the applications banking, prompting the user to enter their credentials. This new malware, called Vultur, is based on a server VNC, a technology that allows it to record and broadcast everything that happens on the screen in real time.
Vultur is installed thanks to Brunhildar, a malware contained in fake applications on the Play Store. Brunhilda is a ” dropper ”, In other words its only function is to allow the installation of other malware. Vultur must obtain permissions to record the screen and perform actions, and for this fools users by displaying an overlay already seen with other malware.
Over 30,000 potential installations
The malware monitors application usage and launches as soon as it detects one of the 103 target applications on its list. It then captures the screen of the smartphone as well as all keystrokes to obtain bank identifiers, as well as those of Facebook, Viber and TikTok. Vultur is currently targeting applications for banks in Italy, Spain, the Netherlands, UK and Australia. the malware is based on several legitimate applications, including AlphaVNC for the server VNC, ngrok to make sure the VNC server can be accessed remotely, and Firebase from Google to be able to receive commands from a control server.
The presence of Vultur is quite easy to detect since theicon « Caster “In the notification area ofAndroid indicates that ” Protection Guard »Broadcasts the screen. However, the malware is difficult to remove since it activates the “Back” function as soon as the smartphone displays the screen allowing it to be uninstalled. The false application Protection Guardwas installed over 5,000 times before being removed from the Play Store. However, ThreatFabric estimates that bogus applications containing Brunhildar, which can install various malware including Vultur, have been installed more than 30,000 times.
Interested in what you just read?
.
