Please Don’t Feed the Vultures

What Is “Vultur”?

Vultur is a family of Android banking malware first discovered by ThreatFabric in March of 2021. Back then, Vultur was popular among threat actors because it included screen recording capabilities, such as keylogging, that helped it record transactions that unsuspecting consumers made in their banking apps.

In recent months, threat actors have upgraded Vultur to allow it to interact further with victims’ mobile devices and better hide itself from virus scanners.

Vultur malware is typically distributed via droppers – otherwise legitimate apps that threat actors have put into app stores (Google Play or third-party stores) and that subsequently perform actions on devices unbeknownst to the device owner. The apps themselves are offered as part of a dropper-as-a-service (DaaS) campaign called Brunhilda.

NCC Group, which has published an expose of the new versions of Vultur, has also observed that the droppers are spread via a combination of Smishing messages and phone calls.

In a recent campaign, fraudsters sent SMS messages “alerting” users of a fraudulent transaction (fake fraudulent) on their bank account and guiding victims to make a phone call to their “bank.” When the victim calls the number, the fraudster provides the victim with a second SMS that includes the link to the dropper: a fake version of a McAfee security app.

How Can Application Security Engineers Protect against Vultur?

While no malware scanner can be 100% effective against all forms of malware, Digital.ai Application Security customers have access to our Malicious Package Detection guard that correctly identifies and blocks dozens of Vultur variants, including the publicly referenced new variants discussed by NCCGroup. Thus, the first line of defense against Vultur is to utilize our Malicious Package Detection guard.

Digital.ai Application Security customers are further protected by our Hook Detection, Checksum, and Virtual Control Detection guards. The Virtual Control Detection guard prevents inputs from being injected into protected apps, Checksum verifies that the application code has not been modified in any way, and Hook Detection looks for evidence that an app has been otherwise tampered with.

Finally, our App Aware threat monitoring can alert enterprises as to when the guards above are triggered, effectively providing a third line of defense.

Combined, our Malicious Package Detection, Threat Monitoring, and other guards provide defense-in-depth against Vultur and prevent Vultur-related banking fraud.

Existing customers can log in here to view our technical documentation for more information on MPD and other guards.

Prospects who want to learn more about how to get Digital.ai Application Security can do so here.