During a routine threat hunting exercise, Cyble Research Labs came across a post by a malware researcher regarding the Vultur Android banking trojan distributed via Google Play Store. The Vultur malware is delivered as an add-on payload via a fake app called 2FA Authenticator, which over 10,000 people have downloaded. As a result of the researchers’ alert, the app has been removed from Google Play.
Researchers around March 2021 first identified the “Vultur” Android banking trojan variant. This malware variant uses screen recording functionality to monitor the targeted device using Virtual Network Computing (VNC). Additionally, VNC obtains Personally Identifiable Information (PII) such as passwords, access tokens, banking credentials, and even financial data to commit fraud.
Furthermore, based on the threat intelligence and research from the earlier samples, it is suspected that Threat Actor (TA) Brunhilda is linked to the Vultur malware campaign. Brunhilda is a privately operated dropper that has been seen dropping Alien malware in the past.
Vultur malware variants are well-known for committing device fraud. Vultur malware is often distributed through the official Google Play Store and has two sets of features: screen recording and keylogging.
According to the analysis, the top countries targeted by these malware variants are Italy, Australia, Spain, and the United Kingdom.
Vultur takes a different approach to bank frauds than what we generally see from Android banking trojans. The typical banking trojan strategy exploits the overlay mechanism to deceive victims into disclosing their passwords and other sensitive data. However, unlike other banking trojans such as Alien and Cerberus, Vultur malware uses a technique that is less technically versatile but highly effective – screen recording via VNC.
Technical Analysis
The technical details of the downloader and the Vultur malware are as follows.
APK Metadata Information – First stage (Downloader APK)
- App Name: 2FA Authenticator
- Package Name: com.privacy.account.safetyapp
- Main Activity: com.privacy.account.safetyapp.ui.MainActivity
- SHA256 Hash:
00a733c78f1b4d4f54cf06a0ea8cc33604512d6032ef4ef9114c89c700bfafcf
APK Metadata Information – Second stage (Vultur Malware App)
- App Name: 2FA Authenticator
- Package Name: com.creemextok
- Main Activity: com.creemextok.MainActivity
- SHA256 Hash:
1b290349c8ada90705f7e1f6aee3cc2c8fecd02163c490af37cf59a29ed24a23
Manifest Information
First Stage (Downloader APK)
The Downloader app requests 11 different permissions, out of which it abuses 3. The app requests the user for the following harmful permissions:
| Permissions | Description |
| Camera | Allows the application to use the camera to take pictures and videos. This option enables the app to gather images captured by the camera at any time. |
| REQUEST_INSTALL_PACKAGES | Allows the app to install applications. |
| SYSTEM_ALERT_WINDOW | Allows the app to draw on top of other applications. |
SYSTEM ALERT WINDOW – The downloader app has high-risk permission appearing in various banking trojans. This permission enables the malware to create overlay displays stealing passwords, prohibit users from accessing the device, and so on.
Apart from these three dangerous permissions, a detailed look at the other permissions that the app requests indicates that it exists to trick users into providing personal information.
The app can gain full network access by leveraging these permissions, running at startup, and disabling the screen lock or password.
Furthermore, the app would gain permission to deactivate the keyboard, query all packages, and even use biometrics, such as the user’s fingerprint data.
The application’s complete set of permissions is represented below.
Second stage (Vultur Malware App)
The Vultur malware app requests 20 different permissions, out of which it abuses 6. The malware requests the user for the following harmful permissions:
| Permissions | Description |
| READ_EXTERNAL_STORAGE | Allows an application to read from external storage. |
| READ_PHONE_STATE | Allows the application to access the phone features of the device. |
| SYSTEM_ALERT_WINDOW | Allows the app to draw on top of other applications. |
| RECORD_AUDIO | Allows the application to access the audio record paths. |
| WRITE_EXTERNAL_STORAGE | Allows an application to write to external storage. |
| WRITE_SETTINGS | Allows an application to modify the system’s settings data. |
The application’s complete set of permissions is represented below.
Malware Behaviour
Figure 5 depicts the overall mechanism of the app that we analyzed, which consists of two stages – the downloader and the malware.
First Stage: Fake Authenticator Downloader
The identified app acts as a downloader, dropping an additional payload that masquerades third-party apps as updates, making it nearly impossible to detect.
While it is recommended that users only download apps from the Play Store, there is nothing users can do if the malicious app is delivered through Google’s official app gateway.
To appear authentic, the app developers implanted malicious code into the open-source code of the official Aegis authentication application. As a result, the app is effectively camouflaged as an authentication tool, allowing it to remain undetected.
The camouflaged 2FA Authenticator app requests important permissions that it does not disclose on its Google Play profile. These hidden permissions, together with the malicious code that the app executes, are:
- Collecting and sending the list of applications used by the users, as well as their location, to the attackers so that they can use the information to carry out attacks targeted at specific individuals.
- Disabling the keylock and password security.
- Downloading third-party applications in the form of allegedly updated versions.
- Attackers may freely execute actions even when the app is in a shut-off state.
- Overlay the interface of other mobile apps using critical permission called SYSTEM_ALERT_WINDOW.
Figure 6 depicts the code that tracks the location of the user’s device.
The code for installing a new wake lock to activate the user’s phone screen is shown in Figure 7, which prevents the device from going off-state.
Additionally, the downloader app queries the list of installed packages from the user’s device, shown in Figure 8.
Google advises that very few applications should utilize SYSTEM_ALERT_WINDOW permission since these windows are designed for system-level interaction with the user. Figure 9 depicts the code functionality to add an overlay to other apps.
Finally, the code for downloading the second payload was identified upon a deep-dive analysis. Unfortunately, since the Command and Control (C&C) server was already down during our analysis, we were unable to retrieve the second stage payload from the C&C server. Regardless, we were able to get this information via our OSINT research.
Figure 10 shares the code that downloads the additional payload from the C&C server.
Second Stage: Vultur Banking Trojan
Like most banking trojans, Vultur malware makes extensive use of Accessibility Services. When the malware is launched, it hides its app icon, post which the malware proceeds to abuse Accessibility Services to get all the required permissions to operate effectively. Also, the application asks for the Accessibility Service access while displaying a WebView overlay as seen in other malware families such as Alien banking malware.
Accessibility Event service is initiated when a new event is triggered. The malware checks the source of the event with one of the keylogging targets (apps) from the app list. If the triggered event matches an app on the list, Accessibility Services are used to keeps records of everything the user types.
Figure 11 depicts the code used for keylogging functionality using the Accessibility Event service.
Accessibility Services also prevent users from using the Settings menu to uninstall the app from the targeted device. When users attempt to uninstall by going to the Settings screen, the malware’s bot instantly redirects users to the main screen, denying them access to the removal option.
After hiding the application icon, the malware uses VNC to launch the Screen Recording functionality. VNC is a software mechanism used in applications for sharing the user’s screen with remote access, and it’s widely seen in third-party software like TeamViewer.
An actual VNC implementation in Vultur malware is carried out using AlphaVNC, which is used for screen projection in Android devices through the local network.
The Vultur malware also employs a cross-platform application known as “ngrok,” which connects the TA’s local development server to the internet without using a public IP address or domain name. ngrok’s main feature is that it uses a secure channel to expose local servers behind firewalls and NAT IPs to the public internet.
AlphaVNC and ngrok are both legitimate and legal tools. Malware families such as Vultur and other Android banking trojans exploit them to obtain PII from their victims.
Native code is used to implement the primary VNC-like functionality. The libavnc.so library, which is interfaced to the application via a wrapper class, contains all the features, such as the method nstart_vnc() as shown in the figure below.
Vultur’s screen recording capability is the most significant threat that this malware is capable of performing.
Using Accessibility Services, the malware figures out which application is running in the foreground. A screen recording session will automatically begin if the application is on the list of targets.
Hint: If the user looks at the notification panel, the existence of Vultur malware may be seen projected on the screen, which can be used to identify the screen recording capability performed by malware.
By interacting with the C&C server, the Vultur malware downloads the ngork tool. The malware also communicates with the C&C server to receive commands via FirebaseCloudMessaging (FCM), in addition to the tool to get information.
The list of commands, methods, and pathways discovered in the malware that is typical in Vultur malware are listed in the table below.
C&C Methods:
| Methods | Description |
| vnc.register | Registration information is sent. |
| vnc.status | Sends VNC address and device status. |
| vnc.apps | Sends a list of packages that have been installed. |
| vnc.keylog | Sends a log of pressed keys. |
| vnc.config | Collects the config file of the packages for keylogging functionality. |
| vnc.overlay.logs | Sends the logs collected through the overlay. |
FCM Commands:
| Commands | Description |
| registered | Upon successful registration, users will receive notifications. |
| start | ngrok is used to establish a VNC connection. |
| stop | VNC connection is terminated by removing the address, terminating the ngrok process, and terminating the VNC service. |
| unlock | Unlocks the screen. |
| delete | Removes the malware package. |
| pattern | Provides a gesture/stroke pattern for the device to execute. |
C&C Paths:
Path: /rpc/ – JSON-RPC endpoint for C&C communication
Path: /upload/ – POST endpoint for uploading files (e.g., screen record)
Path: /version/app/?filename=ngrok&arch={arm|386} – Download the relevant ngrok version from this endpoint.
Identified C&C servers:
Downloader file: hxxps://privacyandroidapp[.]club
Vultur malware file: hxxps://letsbeapornostar[.]club
Conclusion
Based on the above analysis, banking trojans on mobile platforms no longer perform assaults purely based on overlay or using rented Mobility as a Service (MaaS) trojans.
Remote Access Trojans (RAT) start screen recording services by identifying foreground applications in the list of apps, as seen in the case of Vultur. This malware is evolving in tandem with the security measures used by financial institutions.
Financial institutions must improve on their mobile-first strategy with knowledge of the security landscape and prepare for the threats posed by this malware. This goal may be accomplished by developing a mobile security strategy that is threat-driven in real-time.
Our Recommendations
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
How To Prevent Malware Infection?
- Download and install software only from official app stores like Google Play Store or the iOS App Store.
- Use a reputed anti-virus and internet security software package on your connected devices, such as PCs, laptops, and mobile devices.
- Use strong passwords and enforce multi-factor authentication wherever possible.
- Enable biometric security features such as fingerprint or facial recognition for unlocking the mobile device where possible.
- Be wary of opening any links received via SMS or emails delivered to your phone.
- Ensure that Google Play Protect is enabled on Android devices.
- Be careful while enabling any permissions.
- Keep your devices, operating systems, and applications updated.
How To Identify Whether You Are Infected?
- Regularly check the Mobile/Wi-Fi data usage of applications installed in mobile devices.
- Keep an eye on the alerts provided by Anti-viruses and Android OS and take necessary actions accordingly.
What To Do When You Are Infected?
- Disable Wi-Fi/Mobile data and remove SIM card – as in some cases, the malware can re-enable the Mobile Data.
- Perform a factory reset of the device.
- Remove the application in case a factory reset is not possible.
- Take a backup of personal media Files (excluding mobile applications) and perform a device reset.
What To Do In Case Of Any Fraudulent Transaction?
- In case of a fraudulent transaction, immediately report it to the concerned bank.
What Should Banks Do To Protect Their Customers?
- Banks and other financial entities should educate customers on safeguarding themselves from malware attacks via telephone, SMS, or email.
MITRE ATT&CK® Techniques
Downloader APK:
| Tactic | Technique ID | Technique Name |
| Defense Evasion | T1406 | Obfuscated Files or Information |
| Discovery | T1421 | System Network Connections Discovery |
| Discovery/Collection | T1430 | Location Tracking |
| Discovery | T1426 | System Information Discovery |
| Collection | T1507 | Network Information Discovery |
| Command and Control | T1509 | Uncommonly Used Ports |
| Impact | T1447 | Delete Device Data |
Vultur Malware:
| Tactic | Technique ID | Technique Name |
| Initial Access | T1415 | Deliver Malicious App via Authorized App Store |
| Defense Evasion | T1444 | Masquerade as Legitimate Application |
| Collection | T1513 | Screen Capture |
| Credential Access | T1417 | Input Capture (Keylogger) |
| Command and Control | T1509 | Uncommonly Used Ports |
Indicators Of Compromise (IOCs)
| Indicators | Indicator Type | Description |
| 00a733c78f1b4d4f54cf06a0ea8cc33604512d6032ef4ef9114c89c700bfafcf | SHA-256 | Downloader APK Sample |
| 180233cedd3b705d96acd7041e44dd66f239d718 | SHA-1 | |
| 0d00206b8e9814ec56c8ed8cff4de107 | MD5 | |
| 11558904bb5a8ae28100dd6f139f31c837411d56adfae6a0c3d4d980e7fb8953 | SHA-256 | Similar Pattern of Downloader APK Sample |
| e05c2784c71fafc3f8d95077d419c99bc4770de5 | SHA-1 | |
| f02b43edca6f52926a99145572b64b98 | MD5 | |
| 1b290349c8ada90705f7e1f6aee3cc2c8fecd02163c490af37cf59a29ed24a23 | SHA-256 | Vultur Malware Sample |
| c8ec9e2161fc05f6e3ff05ee0a3c5d4525795a84 | SHA-1 | |
| 8520d93c3ccead6d9b65c170b7dbdc72 | MD5 | |
| hxxps://privacyandroidapp[.]club | C2 URL | C2 server used for downloading Vultur Malware payload |
| hxxps://letsbeapornostar[.]club | C2 URL | C2 server of Vultur malware |
