NCC : Fox-IT Releases New Tech Blog Analyzing the Vultur Android Malware

Fox-IT, part of NCC Group, has released an in-depth breakdown of some newly found technical features inside Vultur- a nefarious Android banking malware.

It was one of the first Android banking malware families to include screen recording capabilities and contains features such as keylogging and interacting with a victim's device screen. Vultur mainly targets banking apps for keylogging and remote control. ThreatFabric first discovered Vultur in late March 2021.

The authors behind Vultur have now been spotted adding new technical features, which allow the malware operator to further interact with the victim's mobile device remotely.

Vultur has also started masquerading more of its malicious activity by encrypting its Command-and-Control server (C2) communication, using multiple encrypted payloads that are then decrypted on the fly, and using the guise of legitimate applications to carry out its malicious actions.

Back in 2021, Vultur (ab)used legitimate software products, AlphaVNC and ngrok, to provide remote access to the VNC server running on the victim's device. Vultur was distributed through a dropper framework called Brunhilda, responsible for hosting malicious applications on the Google Play Store.

In a recent campaign, the Brunhilda dropper was spread in a hybrid attack using both SMS and phone calls. The first SMS message guides the victim to a phone call. When the victim calls the number, the fraudster provides the victim with a second SMS that includes the link to the dropper: a modified version of the McAfee Security app.

The dropper deploys an updated version of Vultur banking malware through three payloads, where the final two Vultur payloads effectively work together by invoking each other's functionality. The payloads are installed when the infected device has successfully registered with the Brunhilda C2 server.

In the latest version of Vultur, the threat actors have added seven new C2 methods and forty-one new Firebase Cloud Messaging (FCM) commands. Most of the added commands are related to remote access functionality using Android's Accessibility Services, allowing the malware operator to remotely interact with the victim's screen in a way that is more flexible compared to the use of AlphaVNC and ngrok.

Fox-IT's latest blog provides a comprehensive analysis of Vultur, beginning with an overview of its infection chain. The authors then delve into its new features, uncover its obfuscation techniques and evasion methods, and examine its execution flow. Following that, they dissect its C2 communication, discuss detection based on YARA, and draw conclusions.

Let's soar alongside Vultur's reinvigorated mobile malware strategies!

Visit Fox-IT's technical blog site to read the full write-up.