BleepingComputer reports that more advanced features and increased stealth have been added to the updated Vultur Android banking trojan, which is being distributed via hybrid attacks.
Both smishing intrusions and phone calls have been leveraged by threat actors to lure targets into downloading a weaponized version of the McAfee security app with the Brunhilda malware dropper, a report from NCC Group's Fox-IT revealed. Installation of the app would then execute Vultur-related payloads that would enable Accessibility Services compromise and command-and-control server connections.
Aside from retaining older iterations' keylogging, remote access, and screen recording capabilities, the new Vultur variant enables file management, app blocking, Accessibility Services exploitation, Keyguard deactivation, and custom notifications, according to researchers.
Developers of the Vultur banking trojan have also allowed C2 communications encryption, on-the-spot decryption of various payloads, and payload decryption via native code, as well as the utilization of legitimate apps to better evade detection. Such a development suggests that Vultur could still be updated with more sophisticated features.
