Vultur, the dreaded Trojan horse that siphons off bank accounts, is back! Even more dangerous than usual, it can take full control of your device remotely thanks to its new functions.

Vultur the dreaded Trojan horse that siphons off bank accounts

Vultur, the dreaded Trojan horse that siphons off bank accounts, is back! Even more dangerous than usual, it can take full control of your device remotely thanks to its new functions.

Bad news, Vultur banking malware is making a comeback! Detected for the first time in 2021, this Trojan is one of the most dangerous on Android. It particularly stood out at the end of 2022 when it infiltrated numerous applications in the Play Store. Once he had contaminated a device, he then recorded the screen and the information entered to recover banking data and empty the victim’s bank accounts (see our article).

This time, it returns with new functions that make it even more formidable. According to the investigation carried out by Joshua Kamp, cybersecurity researcher at NCCGroup, a new version of the malware was recently deployed. This incorporates more advanced remote control capabilities and more developed evasion mechanisms, making the virus more difficult for typical protection tools, such as VPNs or antiviruses, to detect and block. It infects devices through a very sophisticated operation, based on phone calls and fake applications.

Vultur: a Trojan horse with a sophisticated mode of infection

Vultur infects smartphones through a Telephony-Oriented Attack Delivery (TOAD) attack, which involves tricking victims into a phone call. First, the target receives an SMS informing them that a transaction involving a large sum of money is in progress, and asking them to contact a number if they are not the originator. Obviously, this operation does not exist, it is simply a pretext to create a feeling of urgency and encourage the victim to act quickly. The latter will then come into contact with a cybercriminal posing as McAfee customer service. The user will then send him an SMS containing an installation link for the fake McAfee Security application.

The particularity of this corrupted app is that it is what we call a dropper. It does not contain the malware, it is only used to install Vultur – which allows it to fly under the radar. Once deployed, the virus will then do everything to seize the victim’s banking details as well as their private keys, which provide access to wallets containing cryptocurrencies.

Fake McAfee Security app launched © NCCGroup

Vultur: the virus is full of new functions

The latest version of Vultur includes several new features. First of all, it incorporates new evasion mechanisms to avoid detection. Once installed, the malware allows you to monitor the victim’s activity in real time using screen and keyboard recording, but also to take control of the device remotely. In addition, this variant is now capable “to interact remotely with the victim’s screen in a more flexible way”. For example, the virus can tap on content instead of the user, scroll or swipe a page, or download, delete and search for files. Additionally, Vultur can block the use of specific applications and the display of notifications to prevent malware detection and removal. For the cybersecurity researcher, it is obvious that “the main goal is to gain full control over compromised devices”.

This control allows the virus to record user-entered passwords and logins and intercept SMS messages – which is particularly handy for bypassing two-factor authentication. This allows him to siphon money from the victim’s bank account and empty their cryptocurrency wallet. Unfortunately, the researcher expects “Looking forward to more features being added to Vultur in the near future”. This is why we recommend that you be very careful. Above all, do not trust SMS messages from unknown senders, and do not click on dubious links!

ccn5