After making its first in-the-wild appearance in March 2021, Vultur—an information-stealing RAT that runs on Android—is back. And its dropper is equally nasty.
Vultur (Romanian for "vulture") is known to target banks, cryptocurrency wallets, social media (Facebook, TikTok), and messaging services (WhatsApp, Viber) to harvest credentials using keylogging and screen recording.
According to ThreatFabric, the mobile security company that first spotted Vultur in 2021, the cybercriminals behind the malware have steered away from the common HTML overlay strategy usually seen in other Android banking Trojans. This approach usually requires time and effort for the attackers in order to steal what they want from the user. In steering away from this, the attackers made less effort but yielded the same results.
One of the Android dropper malware that drops Vultur (among others) is Brunhilda, a privately operated dropper. Initial variants of Vultur have been dropped by an Android app called "Protection Guard", which have had 5,000 installs on the Google Play Store upon its discovery. Note, however, that there are many Brunhilda dropper apps on the Store, which suggests that infection count could be a lot higher.
A Brunhilda dropper masquerading itself as a faux security solution for Android. (Source: ThreatFabric)
ThreatFabric believes that the group behind this dropper and Vultur are one and the same. The company has linked the two for the following reasons:
Moreover, the group behind Vultur can see every interaction the user does to their device, thanks to the real-time implementation of VNC (Virtual Network Computing) screen sharing. This a legitimate tool that allows one to remotely control a device, so whatever the user sees on his phone screen, the actors can see it, too. However, for VNC to work properly, Vutur uses ngrok, another legitimate tool that uses an encrypted tunnel to expose local systems behind firewalls and NATs (network address translation) to the public Internet.
Recently, researchers from Pradeo, another mobile security solutions provider, found a fresh variant of Vultur after they spotted a fake two-factor authenticator (2FA) app on the Google Play Store. The dropper app, aptly named "2FA Authenticator" is responsible for dropping Vultur onto Android devices. Pradeo didn't specify in its report if this dropper app is Brunhilda.
The still-unnamed Vultur dropper spotted on the Play Store. Before it was pulled out, it had more than 10,000 downloads. If you look closer, the images used to showcase the app are refurbished version of images belonging to a legitimate authenticator app in the Play Store. (Source: Pradeo)
"2FA Authenticator", as Pradeo noted, used the open source code of the Aegis Authenticator app, a legitimate 2FA authenticator with a presence in the Play Store, but that had been modified to include malicious code. Users are likely to be less suspicious of apps that appear to be working as they should.
Creating a dropper malware that also works is a tactic not unheard of as this is also used by another Android malware called BRATA.
The automated Vultur attack comes in two stages: first is profiling. The dropper prompts the user for consent to access critical permissions which were never disclosed in its Play Store profile. These are:
The second stage is the installation of Vultur. Pradeo has noted that the dropper doesn't just drop Vultur once it is executed. Instead, the attack escalates to this stage if the information the dropper has collected meets certain conditions.
If you have downloaded an app that you suspect could be malicious, go to Settings > Apps. Look for "2FA Authenticator" in the list and delete it.
Stay safe!
The post Duo of Android dropper and payload target certain countries and app users appeared first on Malwarebytes Labs.