No recent events yet!
Risk: | high |
Damage: |
high |
Platform(s): |
Android OS |
Advisory ID: |
ngCERT-2024-0011 |
Version: |
N/A |
CVE: |
N/A |
Published: |
April 16, 2024 |
A new version of the Vultur banking trojan posing as a security app, authenticator or productivity apps to steal sensitive data and gain total control over compromised android devices has been discovered. The malware has been embedded in over 800 apps on the Google Play Store and many android devices have been compromised. This latest version of the malware includes more advanced remote-control capabilities and an improved evasion mechanism, enabling its operators to remotely interact with a mobile device and harvest sensitive data. This type of attack relies on "smishing" (SMS phishing) and phone calls to trick their targets into installing a version of the malware. Additionally, it can also be distributed via trojanized dropper apps known as Brunhilda.
The infection chain begins with the victim receiving an SMS message alerting them of an unauthorised transaction and instructing them to call a provided number for guidance. As the victim follows the instructions, the call is answered by a fraudster who then persuades the victim to open the link which arrives with a second SMS. Clicking on this link then directs the victims to a site that offers a fake version of a security app such as McAfee app or other apps such as, My Finances Tracker, RecoverFiles, Zetter Authenticator, etc. Once the app is installed, the fake app decrypts and executes three Vultur-related payloads (two APKs and a DEX file) that can obtain access to the Accessibility Services, initialise the remote-control systems and establish a connection with its command and control (C2) server. In a second infection chain, the malware has been observed to be distributed via trojanized dropper apps on the Google Play Store, masquerading as authenticator and productivity apps to trick unwitting users into installing them. The dropper-framework called Brunhilda is used to deploy Vultur via three payloads, the last two designed to invoke each other’s functionality.
Successful installation of this malware on any android device will allow the attacker to:
It is therefore recommended that android users should: