Full Report
Authored by Joshua Kamp Executive summary The authors behind Android banking malware Vultur have been spotted adding new technical features, which allow the malware operator to further remotely interact with the victim’s mobile device. Vultur has also started masquerading more of its malicious activity by encrypting its C2 communication, using multiple encrypted payloads that are … Continue reading Android Malware Vultur Expands Its Wingspan →
Analysis Summary
# Tool/Technique: Vultur (Android Banking Malware)
## Overview
Vultur is an Android banking malware, first discovered in March 2021, which focuses on keylogging and remote control capabilities targeting banking applications. Recent activity shows the threat actors enhancing its remote interaction features, improving evasion tactics, and heavily encrypting its command and control (C2) communication.
## Technical Details
- Type: Malware family (Banking Trojan, Remote Access Trojan)
- Platform: Android
- Capabilities: Keylogging, screen recording, remote access (VNC/ngrok integration), file operations, device control via Accessibility Services, anti-analysis techniques.
- First Seen: March 2021
## MITRE ATT&CK Mapping
*Note: Mappings are inferred based on described functionality.*
- TA0011 - Command and Control
- T1071 - Application Layer Protocol
- T1071.004 - Custom Protocol (Implied by C2 encryption/Base64 encoding)
- TA0005 - Defense Evasion
- T1027 - Obfuscated Files or Information
- T1027.006 - Automated Deobfuscation (Implied by in-memory decryption of payloads)
- T1562 - Impair Defenses
- T1562.001 - Disable or Modify Tools (Disabling Keyguard)
- TA0002 - Execution
- T1204 - User Execution
- T1204.002 - Malicious File (Via Brunhilda dropper)
- TA0007 - Discovery
- T1083 - File and Directory Discovery
- TA0010 - Exfiltration
- T1041 - Exfiltration Over C2 Channel (Implied by banking malware core function)
## Functionality
### Core Capabilities
- **Banking Theft:** Keylogging and screen interaction used to target banking applications.
- **Remote Control:** Retained functionality using bundled AlphaVNC and ngrok for established remote access capabilities (VNC server access).
- **Multi-Stage Delivery:** Utilizes the **Brunhilda** dropper framework, deployed via a hybrid social engineering attack (SMS/Phone Call) masquerading as a security application (e.g., trojanized McAfee Security).
### Advanced Features
- **Enhanced Remote Interaction:** Significant expansion of remote control via 41 new Firebase Cloud Messaging (FCM) commands. This relies heavily on Android Accessibility Services to simulate user actions (scrolls, swipes, clicks, mute/unmute).
- **Evasion and Obfuscation:**
- Encryption: Implements AES encryption and Base64 encoding for C2 communications.
- Payload Splitting: Spreads malicious code across multiple payloads (up to 3) decrypted on the fly using native code.
- Masquerading: Modifies package names of legitimate apps (e.g., using `com.android.accessibility.for.macfee`) or uses legitimate application guises (McAFee Security).
- **Device Manipulation:**
- File management (download, upload, delete, find files).
- Ability to prevent specific applications from running.
- Displays custom notifications in the status bar.
- Disables the device Keyguard (lock screen security).
## Indicators of Compromise
- File Hashes:
- Old Variant Sample: `ad0571aef7b263125410a5037976f41e17ee7c022097f827bd74`
- Old Variant Sample: `c646c8e6a632e23a9c2e60590f012c7b5cb40340194cb0a597161676961b4de0`
- Brunhilda Payload #1/Vultur #2 (Older context): `26f9e19c2a82d2ed4d940c2ec535ff2aba8583ae3867502899a7790fe3628400`
- File Names:
- Dropper packages masquerade as McAfee Security.
- Registry Keys: [Not applicable for Android summary unless specific artifacts are provided]
- Network Indicators:
- C2 Servers: `safetyfactor[.]online`, `cloudmiracle[.]store`
- FCM Indicators: `flandriac171[.]appspot[.]com`, `newyan-1e09d[.]appspot[.]com`
- Dropper Distribution URLs (Examples): `mcafee[.]960232[.]com`, `mcafee[.]353934[.]com`, etc.
- Behavioral Indicators:
- Execution involving multiple inter-dependent payloads (3 stages mentioned).
- Extensive use of Android Accessibility Services to simulate user input.
- Decryption routine utilizing native code within the final stages.
## Associated Threat Actors
The authors/threat actors behind Vultur are noted to be the same developers as the **Brunhilda** dropper framework.
## Detection Methods
- Signature-based detection: Signature matching against known Vultur hashes or malicious package names (e.g., `com.app.freeguarding.twofactor`).
- Behavioral detection: Monitoring for applications attempting to enable Accessibility Services or performing automated actions (swiping, clicking) without direct user input.
- YARA rules: Mentioned as being investigated/developed for detection based on static analysis of the obfuscated code structure.
## Mitigation Strategies
- **User Education:** Caution users against unexpected urgent financial communications (SMS/calls) directing them to download security applications from third-party links.
- **Access Control:** Review and limit permissions granted to installed applications, especially Accessibility Services.
- **Application Sourcing:** Restrict installation to the official Google Play Store and avoid sideloading applications, even if they purport to be legitimate security software.
- **Network Monitoring:** Implement filtering for suspicious C2 domains used by Vultur and related Firebase Cloud Messaging endpoints.
## Related Tools/Techniques
- **Brunhilda:** Dropper framework used to initially distribute Vultur.
- **AlphaVNC & ngrok:** Previously used legitimate tools integrated for foundational remote access capabilities.
- **Banking Malware Families:** Generally categorized with other sophisticated Android banking Trojans targeting credential harvesting via overlay attacks or accessibility abuse.