Home Android This Vultur app takes malicious to the next level

This Vultur app takes malicious to the next level


A Netherlands security research firm has uncovered a new Android dropper app, dubbed Vultur, that delivers legitimate functionality, then silently shifts into malicious mode when it detects banking and other financial activities.

Vultur, found by ThreatFabric, is a keylogger that captures financial institution credentials by piggybacking  on the current banking session and stealing funds right away — invisibly. And just in case the victim realizes what is happening, it locks down the screen.

(Note: Always have your bank’s phone number so that a direct call to a local branch might save your money — and keep the number on paper. If it’s on your phone and the phone is locked, you’re out of luck.)

“Vultur is able to monitor applications that are launched and start screen recording/keylogging once targeted application is launched,” according to ThreatFabric. “Besides that, screen recording is launched every time the device is unlocked to capture PIN-code/graphic password used to unlock device. Analysts tested the Vultur capabilities on a real device and can confirm that Vultur successfully records a video of entering PIN-code/graphic password when unlocking device and entering credentials in the targeted banking application.”

According to the ThreatFabric report, “Vultur uses droppers posing as some additional tools, like MFA authenticators, located in official Google Play Store as a main distribution way, therefore, it is hard for endusers to distinguish malicious applications. Once installed, Vultur will hide its icon and request Accessibility Service privileges to perform its malicious activity. Being provided with these privileges, Vultur also activates self-defensing mechanism that makes it hard to uninstall it: if victim tries to uninstall trojan or disable Accessibility Service privileges, Vultur will close Android Settings menu to prevent it.”

It’s worth noting that using biometrics to log in to a financial app — common these days on both Android and iOS – is an excellent move. In this situation, though, it won’t help here as the app piggybacks on the live session. Biometric info is less useful to the app the next time (hopefully) _ and it won’t help you fend off  the current attack.

ThreatFabric did offer three suggestions for getting out of Vultur’s grip. “One, boot the phone into safe mode, preventing the malware from running” and then try and uninstall the app. “Two, use ADB (Android Debug Bridge) to connect to the device via USB and run the command {code}adb uninstall <malware_package_name>{code}. Or perform a factory reset.”

Beyond the fact that these steps require a big clean-up to return to the phone’s prior usable state, it also requires the victim to know the name of the malicious app. That may not be easy to determine, unless the victim downloads very few apps that are not well-known.

Copyright © 2021 IDG Communications, Inc.