New malware that targets banking apps has been discovered. It is installed through bogus apps on the Google Play Store. Called Vultur, it uses a VNC server to record everything that happens on the screen.
New virus takes passwords
A previously unauthenticated Android remote access Trojan has been found to utilize screen recording highlights to steal sensitive information on the device, counting keeping money qualifications, and open the door to defraud the device.
Cyber security firm ThreatFabric has spotted banking malware that uses a new technique to steal passwords. Most programs of this type display a web page on top of banking applications, prompting the user to enter their credentials.
Vultur Malware
Virtual Network Computing (VNC), the mobile malware was distributed via the official Google Play Store and disguised as an app attracting more than 5000 facilities.
Brunhilda is a "dropper", in other words its only function is to allow the installation of other malware. Vultur needs to obtain permissions to record the screen and perform actions, and to do so deceives users by displaying an overlay already seen with other malware.
Banking malware such as MysteryBot, Grandoreiro, and Vizom have traditionally relied on overlay attacks that is, creating a false copy of a bank's login page and overlaying it on top of a legitimate application to trick victims into revealing their passwords and other important private information, increasingly Evidence that threat actors are veering away from this approach.
How does Vultur work?
In a report published earlier this week, Italian cybersecurity firm Cleafy unveiled UBEL, an updated variant of Oscorp, noted for using WebRTC to interact with a hacked Android phone in real time.
Furthermore, the malware uses ngrok, a cross-platform utility used to expose local servers behind NATs and firewalls to the public Internet via secure tunnels, to provide remote access to a VNC server running locally on the phone.
In addition, it also establishes connections with the Command and Control server (C2) to receive commands via Firebase Cloud Messaging (FCM), whose results, including extracted data and screenshots, are then sent to the server.
The ThreatFabric investigation also linked Vultur to another well-known piece of malware called Brunhilda, a dropper that uses the Play Store to distribute various types of malware in a so-called DaaS process, citing overlaps in source code and infrastructure.
The Amsterdam-based cybersecurity services firm said these links indicate that Brunhilda is a privately operated threat actor with its own dropper and owned by RAT Vultur.
The researchers concluded, “The Vultur story once again shows how actors switch from using rented (MaaS) Trojans sold in underground markets to proprietary malware tailored to the needs of this group.”
Over 30,000 potential installations
The malware monitors application usage and launches as soon as it detects one of the 103 target applications on its list.
It captures the screen of the smartphone as well as all the keystrokes in order to obtain the bank details, as well as those of Facebook, Viber and TikTok. Vultur is currently targeting applications for banks in Italy, Spain, the Netherlands, UK and Australia.
The presence of Vultur is fairly easy to detect since the “Caster” icon in the Android notification area indicates that “Protection Guard” is broadcasting the screen. However, the malware is difficult to remove since it activates the “Back” function as soon as the smartphone displays the screen allowing it to be uninstalled.
The bogus Protection Guard app was installed over 5,000 times before it was removed from the Play Store.
Ycredciafepi Dana Head https://wakelet.com/wake/ZJWtZLT0QeIUuarrP3Xdo
ReplyDeletetawarmidisch
gionaanhi Robert Ritchie Website
ReplyDeleteVMware Workstation
Crack
tlinbucktina
nistmaZtazo Wewere Tucson click
ReplyDeleteClick
diotrucuntab