If the virus detects an app running in the foreground that is in its target list, it starts a screen recording session.
Researchers from cyber security firm ThreatFabric have released a study warning of a new type of malware that uses screen recordings to steal banking credentials from Android users.
This banking Trojan, dubbed Vultur, infiltrates Android devices via a dropper called Brunhilda, which has been discovered in a number of fitness, phone-security, and authentication apps on Google Play.
To date, it is estimated that 30,000 Android devices have been infected with Brunhilda, implying that thousands of Android users have been infected with Vultur.
Vultur, like other malware that targets Android devices, begins its infiltration by abusing Android Accessibility Services, which are supposed to enable users personalize their devices.
Vultur’s method of obtaining login credentials from an infected device differs from those of other banking Trojans.
Threat actors have largely used overlay techniques in prior banking Trojan assaults, fooling victims into believing they are typing their login credentials into a real banking software. According to academics, stealing user data in this manner frequently necessitates more effort and time.
Vultur, on the other hand, recognises when a user is filling out a data entry form. It then records the screen using the device’s Virtual Network Computing (VNC), starts keylogging through VNC, and sends all collected data to a malicious site run by the attackers.
The biggest threat that Vultur offers is its screen recording capability. The Trojan uses Accessibility Services to understand what application is in the foreground. If the application is part of the list of targets, it will initiate a screen recording session.ThreatFabric
While Vultur was created to primarily gather banking login credentials, the researchers claim they have detected instances of keylogging for social networking apps such as Facebook, TikTok, and WhatsApp. The malware was also discovered targeting bitcoin apps in a small number of situations.
Users should not let the infected app to access their device’s Accessibility Services to protect themselves against a Vultur malware attack, according to the researchers.
The system displays an active ‘casting’ indicator in the Android notifications when Vultur transfers data to its central server. If a user isn’t casting anything but the icon still appears in the notice, it means the device has a security flaw.