New financial institution fraud malware known as Vultur infects 1000’s of gadgets


Recently discovered Android malware, some of which are distributed through the Google Play Store, uses a novel method to speed up the process of collecting credentials from 100+ banking and cryptocurrency applications.

The malware, which researchers at Amsterdam-based security company ThreatFabric Vultur call, is one of the first Android threats to record a device screen when one of the target apps is opened. Vultur uses a real implementation of the VNC screen sharing application to mirror the infected device’s screen to an attacker-controlled server, ThreatFabric researchers said.

Threat substance

Threat substance

The next level

The typical Modus Operandi for Android-based banking fraud malware is to pop a window over the login screen of a targeted app. The “overlay”, as such windows are usually called, is identical to the user interface of the banking app and gives the victims the impression that they are entering their access data into trustworthy software. Attackers then harvest the credentials, enter them into the app running on another device, and withdraw money.

“Banking threats on the mobile platform are no longer based solely on known overlay attacks, but are developing into RAT-like malware that inherits useful tricks such as detecting foreground applications to start screen recording,” write ThreatFabric researchers about the new Vultur – Approach in One Entry.


They continued:

This takes the threat to another level as such features open the door to fraud on the device and bypass detection based on phishing MOs that require fraud from a new device: With Vultur, fraud can be carried out on the victim’s infected device happen. These attacks are scalable and automated as the actions to execute fraud on the malware backend can be scripted and sent in the form of sequential commands.

Like many Android banking Trojans, Vultur relies heavily on accessibility services built into the mobile operating system. During the initial installation, Vultur misuses these services in order to obtain the permissions required to work. To do this, the malware uses an overlay from other malware families. From then on, Vultur monitors all requests that trigger the accessibility services.

Threat substance

Stealth and more

The malware uses the services to detect requests coming from a target application. The malware also uses the services to prevent the app from being deleted using conventional measures. In particular, when the user tries to access the screen with the app details in the Android settings, Vultur automatically clicks the Back button. This will prevent the user from accessing the uninstall button. Vultur also hides its symbol.

Another way the malware stays stealthy: Trojan apps that they install are fully functional programs that actually provide real services like fitness tracking or two-factor authentication. Despite the cloaking attempts, however, the malware provides at least one tell-tale sign that it is running – every Trojanized app Vultur has installed will appear as a projection of the screen in the Android notification panel.

Threat substance

Once installed, Vultur will start screen recording using Alpha VNC’s VNC implementation. To enable remote access to the VNC server running on the infected device, the malware uses ngrok, an app that uses an encrypted tunnel to make local systems hidden behind firewalls accessible to the public internet.


The malware is installed by a trojanized app called Dropper. So far, ThreatFabric researchers have found two Trojanized apps on Google Play that install Vultur. Together they had about 5,000 installations, which led the researchers to estimate that Vultur infections are in the thousands. Unlike most Android malware that relies on third-party droppers, Vultur uses a custom dropper now called Brunhilda.

“This dropper and Vultur are both developed by the same group of threat actors,” the ThreatFabric researchers wrote. “The decision to develop its own private Trojan instead of renting malware from third-party providers shows a strong motivation for this group, coupled with the overall high structure and organization of the bot and the server code.”

The researchers found that Brunhilda was used in the past to install various Android banking malware called Alien. Overall, the researchers estimate that Brunhilda infected more than 30,000 devices. The researchers based the estimates on malicious apps that were previously available in the Play Store – some with more than 10,000 installations each – as well as numbers from third-party markets.

Vultur is programmed to record screens when any of 103 Android banking or cryptocurrency apps are running in the foreground. Italy, Australia and Spain were the countries with the most target banks.

Threat substance

In addition to banking and cryptocurrency apps, the malware also collects login information for Facebook, Facebook’s own WhatsApp messenger, TikTok and Viber Messenger. Gathering credentials for these apps is done through traditional keylogging, although the ThreatFabric post didn’t explain why.

While Google has removed all Play Market apps known to contain Brunhilda, the company’s track record suggests that new Trojanized apps are likely to appear. Android users should only install apps that provide useful services and, if possible, only apps from well-known publishers. User reviews and app behavior should also be alerted to signs of malice.