Android Banking Trojan Relies on Screen Recording and Keylogging Instead of HTML


According to security experts at ThreatFabric, a newly found Android banking Trojan captures login credentials via screen recording and keylogging rather than HTML overlays.

The malware, dubbed Vultur and originally discovered in March 2021, uses AlphaVNC’s VNC (Virtual Network Computing) implementation to get full visibility into the victim system. Remote access to the device’s VNC server is provided by ngrok, which uses secure tunnels to expose endpoints behind NATs and firewalls to the Internet.

According to ThreatFabric, the mobile malware uses Accessibility Services to identify the programme running in the foreground and begins screen recording if the app is in the target list. Vultur is projecting the screen while masquerading as a programme called Protection Guard, an operation visible in the notification panel.

While Android banking Trojans are known to use the Accessibility Services to carry out criminal operations, they often use HTML overlays to deceive users into exposing their login details. Vultur does use overlay to get all of the permissions it needs to execute unimpeded on the infected device.

The malware also makes advantage of Accessibility Services to log all of the keys that the user taps on the screen and to prevent the victim from manually uninstalling the infection. The virus auto-clicks the back button to return the user to the main screen when the user accesses the app’s information screen in settings.

Vultur is a banking application that primarily targets consumers in Australia, Italy, and Spain. Some victims were also seen in the Netherlands and the United Kingdom, but to a considerably smaller extent. The malware is also highly interested in stealing crypto-wallet credentials and keeps a close eye on social networking apps.

Vultur looks to be tied to Brunhilda, a privately managed dropper that previously transmitted Alien, a variant of the Cerberus banking malware that was discovered in Google Play several months ago, according to ThreatFabric.

The Brunhilda sample connected with Vultur (it has the same icon, package name, and command and control server as a Vultur sample) has over 5.000 instals, out of a total of more than 30.000 Brunhilda droppers are estimated to have had through Google Play and unofficial stores.

Jennifer Thomas
Jennifer Thomas is the Co-founder and Chief Business Development Officer at Cybers Guards. Prior to that, She was responsible for leading its Cyber Security Practice and Cyber Security Operations Center, which provided managed security services.