Main menu

Pages

New Malware Smartphones VNC steal Passwords


New malware that targets banking apps has been discovered. It is installed through bogus apps on the Google Play Store. Called Vultur, it uses a VNC server to record everything that happens on the screen. 


New virus takes passwords

A previously unauthenticated Android remote access Trojan has been found to utilize  screen recording highlights to steal sensitive information on the device, counting keeping money qualifications, and open the door to defraud the device. 

Cyber ​​security firm ThreatFabric has spotted banking malware that uses a new technique to steal passwords. Most programs of this type display a web page on top of banking applications, prompting the user to enter their credentials.

Vultur Malware

This new malware, called Vultur, is based on a VNC server, a technology that allows it to record and broadcast everything that happens on the screen in real time. Vultur is installed thanks to Brunhildar, malware contained in bogus apps on the Play Store.

Virtual Network Computing (VNC), the mobile malware was distributed via the official Google Play Store and disguised as an app attracting more than  5000 facilities. 

Brunhilda is a "dropper", in other words its only function is to allow the installation of other malware. Vultur needs to obtain permissions to record the screen and perform actions, and to do so deceives users by displaying an overlay already seen with other malware.  

Banking malware such as MysteryBot, Grandoreiro, and Vizom have traditionally relied on overlay attacks that is, creating a false copy of a bank's login page and overlaying it on top of a legitimate application to trick victims into revealing their passwords and other important private information, increasingly  Evidence that threat actors are veering away from this approach.

How does Vultur work?

In a report published earlier this week, Italian cybersecurity firm Cleafy unveiled UBEL, an updated variant of Oscorp, noted for using WebRTC to interact with a hacked Android phone in real time.


Vultur adopts a similar tactic in that it takes advantage of accessibility permissions to capture keystrokes and makes use of the VNC screen recording feature to surreptitiously record all activity on the phone, thus avoiding the need to register a new device and making it difficult for banks to detect fraud.

Furthermore, the malware uses ngrok, a cross-platform utility used to expose local servers behind NATs and firewalls to the public Internet via secure tunnels, to provide remote access to a VNC server running locally on the phone.  


In addition, it also establishes connections with the Command and Control server (C2) to receive commands via Firebase Cloud Messaging (FCM), whose results, including extracted data and screenshots, are then sent to the server.


The ThreatFabric investigation also linked Vultur to another well-known piece of malware called Brunhilda, a dropper that uses the Play Store to distribute various types of malware in a so-called DaaS process, citing overlaps in source code and infrastructure. 


The Amsterdam-based cybersecurity services firm said these links indicate that Brunhilda is a privately operated threat actor with its own dropper and owned by RAT Vultur.


The researchers concluded, “The Vultur story once again shows how actors switch from using rented (MaaS) Trojans sold in underground markets to proprietary malware tailored to the needs of this group.”

  

These attacks are scalable and automated because fraud execution procedures can be written to the malware backend and sent in the form of a sequence of commands, making it easier for actors(s) to hit and run.

Over 30,000 potential installations 


The malware monitors application usage and launches as soon as it detects one of the 103 target applications on its list. 

It captures the screen of the smartphone as well as all the keystrokes in order to obtain the bank details, as well as those of Facebook, Viber and TikTok. Vultur is currently targeting applications for banks in Italy, Spain, the Netherlands, UK and Australia


The presence of Vultur is fairly easy to detect since the “Caster” icon in the Android notification area indicates that “Protection Guard” is broadcasting the screen. However, the malware is difficult to remove since it activates the “Back” function as soon as the smartphone displays the screen allowing it to be uninstalled. 

The bogus Protection Guard app was installed over 5,000 times before it was removed from the Play Store. 

Comments

3 comments
Post a Comment

Post a Comment

table of contents title