The Android banking trojan referred to as Vultur has resurfaced with a collection of latest options and improved anti-analysis and detection evasion strategies, enabling its operators to remotely work together with a cell machine and harvest delicate information.

“Vultur has additionally began masquerading extra of its malicious exercise by encrypting its C2 communication, utilizing a number of encrypted payloads which are decrypted on the fly, and utilizing the guise of reputable functions to hold out its malicious actions,” NCC Group researcher Joshua Kamp mentioned in a report printed final week.

Vultur was first disclosed in early 2021, with the malware able to leveraging Android’s accessibility providers APIs to execute its malicious actions.

The malware has been noticed to be distributed by way of trojanized dropper apps on the Google Play Retailer, masquerading as authenticator and productiveness apps to trick unwitting customers into putting in them. These dropper apps are provided as a part of a dropper-as-a-service (DaaS) operation known as Brunhilda.

Different assault chains, as noticed by NCC Group, contain the droppers being unfold utilizing a mix of SMS messages and cellphone calls – a way known as telephone-oriented assault supply (TOAD) – to in the end serve an up to date model of the malware.

“The primary SMS message guides the sufferer to a cellphone name,” Kamp mentioned. When the sufferer calls the quantity, the fraudster supplies the sufferer with a second SMS that features the hyperlink to the dropper: a modified model of the [legitimate] McAfee Safety app.”

The preliminary SMS message goals to induce a false sense of urgency by instructing the recipients to name a quantity to authorize a non-existent transaction that entails a big sum of cash.

Upon set up, the malicious dropper executes three associated payloads (two APKs and one DEX file) that register the bot with the C2 server, acquire accessibility providers permissions for distant entry by way of AlphaVNC and ngrok, and run instructions fetched from the C2 server.

One of many outstanding additions to Vultur is the flexibility to remotely work together with the contaminated machine, together with finishing up clicks, scrolls, and swipes, by Android’s accessibility providers, in addition to obtain, add, delete, set up, and discover information.

As well as, the malware is provided to stop the victims from interacting with a predefined record of apps, show customized notifications within the standing bar, and even disable Keyguard to bypass lock display safety measures.

“Vultur’s current developments have proven a shift in focus in direction of maximizing distant management over contaminated units,” Kamp mentioned.

“With the aptitude to situation instructions for scrolling, swipe gestures, clicks, quantity management, blocking apps from working, and even incorporating file supervisor performance, it’s clear that the first goal is to realize complete management over compromised units.”

The event comes as Workforce Cymru revealed the Octo (aka Coper) Android banking trojan’s transition to a malware-as-a-service operation, providing its providers to different risk actors for conducting info theft.

“The malware provides a wide range of superior options, together with keylogging, interception of SMS messages and push notifications, and management over the machine’s display,” the corporate mentioned.

“It employs numerous injects to steal delicate info, reminiscent of passwords and login credentials, by displaying pretend screens or overlays. Moreover, it makes use of VNC (Digital Community Computing) for distant entry to units, enhancing its surveillance capabilities.”

Octo campaigns are estimated to have compromised 45,000 units, primarily spanning Portugal, Spain, Turkey, and the U.S. A few of the different victims are situated in France, the Netherlands, Canada, India, and Japan.

The findings additionally observe the emergence of a brand new marketing campaign focusing on Android customers in India that distributes malicious APK packages posing as on-line reserving, billing, and courier providers by way of a malware-as-a-service (MaaS) providing.

The malware “targets theft of banking info, SMS messages, and different confidential info from victims’ units,” Broadcom-owned Symantec mentioned in a bulletin.