"Android Banking Trojan 'Vultur' Abusing Accessibility Services"
An Android banking Trojan dubbed Vultur, first identified in March 2021, relies on screen recording and keylogging instead of HTML overlays to capture login credentials. According to security researchers at ThreatFabric, Vultur uses the Virtual Network Computing (VNC) implementation from AlphaVNC to gain complete visibility into a victim's device. In order to provide remote access to the VNC server on the device, the malware uses ngrok, an app that leverages encrypted tunnels to expose local systems hidden behind NATs and firewalls to the public Internet. The researchers said the mobile malware takes advantage of the Accessibility Services to identify the app running in the foreground. If the app is on the target list, the malware will then start screen recording. The malware also abuses the Accessibility Services to log all of the keys pressed by the user on the screen, and to prevent the victim from deleting it through manual uninstallation. Vultur has been observed targeting various banking applications, with users in Australia, Italy, and Spain being the main victims. This article continues to discuss the capabilities and targets of the Vultur Android banking Trojan.
Security Week reports "Android Banking Trojan 'Vultur' Abusing Accessibility Services"