A Netherlands security research firm has uncovered a new Android dropper app, dubbed Vultur, that delivers legitimate functionality, then silently shifts into malicious mode when it detects banking and other financial activities.
Vultur, found by ThreatFabric, is a keylogger that captures financial institution credentials by piggybacking on the current banking session and stealing funds right away — invisibly. And just in case the victim realizes what is happening, it locks down the screen.
(Note: Always have your bank’s phone number so that a direct call to a local branch might save your money — and keep the number on paper. If it’s on your phone and the phone is locked, you’re out of luck.)
“Vultur is able to monitor applications that are launched and start screen recording/keylogging once targeted application is launched,” according to ThreatFabric. “Besides that, screen recording is launched every time the device is unlocked to capture PIN-code/graphic password used to unlock device. Analysts tested the Vultur capabilities on a real device and can confirm that Vultur successfully records a video of entering PIN-code/graphic password when unlocking device and entering credentials in the targeted banking application.”
According to the ThreatFabric report, “Vultur uses droppers posing as some additional tools, like MFA authenticators, located in official Google Play Store as a main distribution way, therefore, it is hard for endusers to distinguish malicious applications. Once installed, Vultur will hide its icon and request Accessibility Service privileges to perform its malicious activity. Being provided with these privileges, Vultur also activates self-defensing mechanism that makes it hard to uninstall it: if victim tries to uninstall trojan or disable Accessibility Service privileges, Vultur will close Android Settings menu to prevent it.”
It’s worth noting that using biometrics to log in to a financial app — common these days on both Android and iOS – is an excellent move. In this situation, though, it won’t help here as the app piggybacks on the live session. Biometric info is less useful to the app the next time (hopefully) _ and it won’t help you fend off the current attack.
ThreatFabric did offer three suggestions for getting out of Vultur’s grip. “One, boot the phone into safe mode, preventing the malware from running” and then try and uninstall the app. “Two, use ADB (Android Debug Bridge) to connect to the device via USB and run the command {code}adb uninstall <malware_package_name>{code}. Or perform a factory reset.”
Beyond the fact that these steps require a big clean-up to return to the phone’s prior usable state, it also requires the victim to know the name of the malicious app. That may not be easy to determine, unless the victim downloads very few apps that are not well-known.
Further complicating this mess is that users tend to implicitly trust apps offered in an official manner through Google and Apple. Although it is absolutely true that both mobile OS firms need to, and can, do far more to screen apps, the sad truth may be that today’s volume of new apps may make such efforts ineffective or even futile.
Consider Vultur. Even ThreatFabric’s CEO, Cengiz Han Sahin, said that he doubts either Apple nor Google could have blocked Vultur — regardless of the number of security analysts and machine learning tools deployed.
“I think they (Google and Apple) are doing their best. This is just too difficult to detect, even with all the [machine learning] and all the new toys they have to detect these threats,” Sahin said in an interview. “They have chosen to be an open platform and these are the consequences.”
A key part of the detection problem is that the criminals behind these droppers truly deliver proper functionality, before the app turns malicious. Therefore, someone testing the app would likely just find that it is doing what it promises. To find the nefarious aspects, a system or person would have to carefully examine all of the code. “The malware doesn’t really become malware until the actor decides to do something malicious,” Sahin said.
It would also help if financial institutions did a bit more to help. Payment cards (debit and credit) do an impressive job of flagging and pausing any transactions that appear to be a deviation from the norm. Why can’t those same financial institutions perform similar checks for all online money transfers?
This brings us back to IT. There have to be consequences for users who disregard IT policy. Relying on the suggestions cited for removing Vultur, also means a definite possibility of data loss. What if it’s enterprise data that is lost? What if that data loss requires the team to redo hours of work? What if it delays the delivery of something owed to a customer? Is it right for the line-of-business budget to take a hit when it was caused by an employee or contractor violating policy?
Copyright © 2021 IDG Communications, Inc.
