Jul 30 2021

Android Banking Trojan Vultur uses screen recording for credentials stealing

Category: TrojanDISC @ 11:15 pm

Experts spotted a new strain of Android banking Trojan dubbed Vultur that uses screen recording and keylogging for the capturing of login credentials.

ThreatFabric researchers discovered a new Android banking Trojan, tracked as Vultur, that uses screen recording and keylogging to capture login credentials.

Vultur was first spotted in late March 2021, it gains full visibility on victims’ devices via VNC (Virtual Network Computing) implementation taken from AlphaVNC.

“For the first time we are seeing an Android banking trojan that has screen recording and keylogging as main strategy to harvest login credentials in an automated and scalable way. The actors chose to steer away from the common HTML overlay strategy we usually see in other Android banking Trojans: this approach usually requires more time and effort from the actors in order to steal relevant information from the user. Instead, they chose to simply record what is shown on the screen, effectively obtaining the same end result.” reads the analysis published by ThreatFabric.

Most of the apps targeted by Vultur belong to banks in Italy, Australia and Spain, experts discovered a link with a popular dropper framework called Brunhilda.

Viruses, Hardware and Software Trojans: Attacks and Countermeasures

Tags: Banking Trojan, credentials stealing