The malware, dubbed “Vultur” by researchers at Amsterdam-based security firm ThreatFabric, was reportedly distributed through the Google Play Store. It was disguised as an app called “Protection Guard,” which garnered over 5,000 installations. The primary targets were banking and crypto-wallet apps from entities located in Italy, Australia, and Spain.
The researchers said they found that the remote access trojan (RAT) worked by taking advantage of accessibility permissions to capture keystrokes. It leveraged screen recording features to log all activities on the targeted device, enabling it to steal banking credentials and more.
Abuses accessibility services
When Vultur is first installed, it abuses accessibility services built into the mobile operating system in order to obtain the required permissions. It does so by borrowing an overlay from other malware families. After that, it goes to work monitoring all requests that trigger the accessibility services.
"For the first time we are seeing an Android banking trojan that has screen recording and keylogging as the main strategy to harvest login credentials in an automated and scalable way," researchers from ThreatFabric said.
The researchers said the tactics employed by the bad actors behind Vultur are a deviation from “the common HTML overlay development we usually see in other Android banking Trojans,” which tends to be a more time consuming way to siphon information.
“Instead, they chose to simply record what is shown on the screen, effectively obtaining the same end result,” the team wrote.
"The story of Vultur shows one more time how actors shift from using rented Trojans (MaaS) that are sold on underground markets towards proprietary/private malware tailored to the needs of this group," the researchers concluded. "These attacks are scalable and automated since the actions to perform fraud can be scripted on the malware backend and sent in the form of commands sequence, making it easy for the actor(s) to hit-and-run."