The Vultur banking trojan has a new version that scares the world: how to avoid it

There is alarm all over the world due to the detection of a new, more updated and insidious version of the famous one Banking trojan for Android “Vultur”. Identified for the first time three years …

The Vultur banking trojan has a new version that scares the world: how to avoid it

There is alarm all over the world due to the detection of a new, more updated and insidious version of the famous one Banking trojan for Android “Vultur”. Identified for the first time three years ago, it is considered by experts to be one of the ten most widespread banking malware of 2023: with its nine certified variants, it was able to infect 112 banking apps in 15 countries. From this we can understand the reason for so many fears on the part of those who work in the sector.

According to security experts at Fox-IT, a branch of NCC Group, the updated version of Vultur has been strengthened with the addition of new advanced remote control and evasion analysis and detection capabilities.

“What's new is that Vultur has started to further shield its malicious activities, encrypting the communication with the C2 server and using multiple encrypted payloads, decrypted in real time, and using supposedly legitimate applications to carry out its malicious actions “explained NCC Group researcher Joshua Kamp.

It all starts with sending a SMS which concerns a fake transaction relating to a large sum of money, thus exploiting the so-called “smishing”. “The first message guides the victim to a phone call”, Kamp specifies. At that point the recipient is encouraged to contact by telephone what appears to all intents and purposes to be an assistance service. The moment this occurs, the cybercriminal convinces the victim to install a version of the app McAfee Security via a link inserted in a second SMS: a version that is only apparently legitimate, but actually modified, given that it is the Brunhilda dropper.

Once started, the malicious dropper downloads and then executes three Vultur payloads, namely two APK files and a DEX: these allow registration with the C2 server and, thanks to obtaining Android accessibility services permissions with remote access via the Installing AlphaVNC and ngrok allow you to execute commands received from the C2 server itself.

Among the new features implemented in the trojan, there is the possibility to download, upload, delete, install and find files remotely, the ability to control the infected device using Android accessibility services (for example sending commands to scroll, the tap, or deactivate/activate the audio), to prevent apps from running, to display a personalized notification in the status bar or to disable Keyguard to bypass lock screen security measures. Furthermore, Vultur can now exploit new ways to evade detection attempts by analysis tools.

To best protect yourself from the Trojan, it is always advisable to equip yourself with valid antivirus software and keep your guard up even when downloading apps from reliable portals, as well as always avoiding downloads from unknown sites or clicking on links in text messages or emails. or allow the use of accessibility services.

It is also good practice to check whether the information requested by an app at the time of installation is compatible or not with the use to be made of the same: it is clear that, for example, a program for generating random passwords must never claim the access to your mobile device's microphone or camera.