Full Report
Authored by Joshua Kamp Executive summary The authors behind Android banking malware Vultur have been spotted adding new technical features, which allow the malware operator to further remotely interact with the victim’s mobile device. Vultur has also started masquerading more of its malicious activity by encrypting its C2 communication, using multiple encrypted payloads that are … Continue reading Android Malware Vultur Expands Its Wingspan →
Analysis Summary
# Tool/Technique: Vultur (Banking Trojan)
## Overview
Vultur is a sophisticated Android banking malware primarily known for its screen recording and remote control capabilities. First discovered in 2021, recent variants have evolved to include more flexible remote interaction features via Accessibility Services, bypassing traditional VNC/ngrok methods. It is typically distributed via the **Brunhilda** dropper framework using a hybrid social engineering approach (SMS and phone calls).
## Technical Details
- **Type:** Malware family (Banking Trojan)
- **Platform:** Android
- **Capabilities:** Screen recording, keylogging, remote file management, Accessibility Services abuse, lock screen bypass, and C2 communication encryption.
- **First Seen:** March 2021
## MITRE ATT&CK Mapping
- **[TA0031 - Initial Access]**
- T1518 - Software Discovery (Masquerading as McAfee/Accessibility Suite)
- T1456 - Drive-By ITW (Social Engineering/SMS)
- **[TA0033 - Execution]**
- T1204.001 - User Execution: Malicious Link
- **[TA0037 - Persistence]**
- T1544 - Abuse Accessibility Features
- **[TA0038 - Privilege Escalation]**
- T1544 - Abuse Accessibility Features
- **[TA0030 - Defense Evasion]**
- T1406 - Obfuscation (Native code decryption, AES/Base64 C2 traffic)
- T1622 - Debuggers and Anti-Analysis
- **[TA0035 - Collection]**
- T1417.001 - Input Capture: Keylogging
- T1513 - Screen Capture (VNC/Screen Streaming)
- **[TA0041 - Command and Control]**
- T1102 - Web Service (Firebase Cloud Messaging - FCM)
## Functionality
### Core Capabilities
- **Screen Streaming:** Uses AlphaVNC and ngrok to provide the operator with a live view of the victim's device.
- **Keylogging:** Records user input, specifically targeting banking application credentials.
- **Hybrid Infection Chain:** Utilizes a "Telephone-oriented Attack Delivery" (TOAD) where SMS messages prompt a phone call to trick users into downloading a trojanized McAfee app.
### Advanced Features
- **Accessibility Services Abuse:** Can remotely perform scrolls, clicks, swipes, and mute/unmute audio.
- **Enhanced File Management:** New commands allow operators to download, upload, delete, install, and search for files on the device.
- **Evasion & Obfuscation:** Uses native code to decrypt three separate payloads on the fly; encrypts C2 communications using AES.
- **Lock Screen Bypass:** Ability to disable the "Keyguard" to bypass security measures.
- **App Blocking:** Can prevent specific applications (e.g., security tools or settings) from running.
## Indicators of Compromise
- **File Hashes (SHA256):**
- Dropper: `26f9e19c2a82d2ed4d940c2ec535ff2aba8583ae3867502899a7790fe3628400`
- Vultur Payload: `1985336110f0034c29b8d73d479084658858f56e67909c2ffedf9223d7ca9bd2`
- Vultur Payload: `c646c8e6a632e23a9c2e60590f012c7b5cb40340194cb0a597161676961b4de0`
- **Package Names:**
- `com.datasafeaccountsanddata.club`
- `com.app.freeguarding.twofactor`
- **Network Indicators:**
- safetyfactor[.]online
- cloudmiracle[.]store
- flandria171[.]appspot[.]com
- mcafee[.]960232[.]com
- mcafee[.]053105[.]com
- **Behavioral Indicators:**
- Unexpected requests for Accessibility Service permissions.
- Presence of AlphaVNC or ngrok binaries in internal app directories.
## Associated Threat Actors
- Owners/operators of the **Brunhilda** dropper framework.
## Detection Methods
- **Behavioral detection:** Monitoring for apps that request Accessibility Services and immediately initiate background network connections or screen recording APIs.
- **Signature-based:** Scanning for specific VNC/ngrok artifacts embedded within APKs.
- **Network monitoring:** Detecting AES-encrypted traffic to known Firebase Cloud Messaging (FCM) endpoints or identified C2 domains.
## Mitigation Strategies
- **User Education:** Advise users never to install software (especially security apps) via links sent in SMS or suggested during unsolicited phone calls.
- **Play Protect:** Ensure Google Play Protect is enabled, as it often detects Brunhilda-based droppers.
- **Permission Hardening:** Restrict "Accessibility Services" permissions to only known, trusted applications.
- **MDM Policies:** For corporate environments, use Mobile Device Management to block sideloading of APKs.
## Related Tools/Techniques
- **Brunhilda:** The primary dropper framework used for distribution.
- **AlphaVNC / ngrok:** Legacy tools utilized for the VNC implementation within Vultur.