Banking trojan Vultur has been observed targeting banks in the Nordics. First discovered in 2021, Vultur malware targets Android users by posing as a security app, aiming to harvest sensitive user data from banking apps.
Originally, Vultur worked as a straightforward overlay attack, which is easily thwarted with the right security tools in place. However, its creators upgraded the malware in 2024 with several new features, including advanced detection evasion, improved anti-analysis, and upgraded remote control capabilities. With the overall number of victims estimated to be over 30,000, understanding how Vultur works and how to secure your mobile banking app is essential to protect your customers from harm.
How Vultur works
While the traditional banking trojan relies on users typing their credentials into what they believe is a legitimate banking app, Vultur uses an alternative technique: abuse of accessibility services. In its latest generation, Android users are targeted through an SMS message alerting them to an unauthorized banking transaction, directing them to call a phone number for assistance. On the call, the scammer sends another SMS message instructing them to install a fake version of the McAfee Security app from the Google Play Store which is actually a Brunhilda dropper. Once installed, the malware decrypts and executes three payloads (two APKs and a DEX file), establishing a connection to the Command-and-Control (C2) server and giving the threat actors control of accessibility services for remote access via AlphaVNC and ngrok.
"Vultur's recent developments have shown a shift in focus towards maximizing remote control over infected devices." NCC Group researcher Joshua Kamp said in a report published on the banking trojan’s new developments.
Assess your security risks and get started with app shielding. Read our guide to the OWASP Mobile Top 10 and app shielding. Get the guide
What Vultur can do
Boasting seven new C&C methods, Vultur can click, scroll, and swipe, as well as block apps from running, displaying custom HTML retrieved through the vnc.blocked.packages C2 method or a “Temporarily Unavailable” message to the user.
Other uses include bypassing the lock screen by disabling the keyguard to gain unrestricted device access, and file management actions that can download, upload, delete, install, and find files. With these tools, sensitive information such as passwords and login details are obtained and funds can be taken from the victim’s bank account.
Why this matters
New detection evasion and obfuscation techniques, such as AES encryption and static app scanning (i.e. encrypting parts of the app and downloading commands, amongst other functions) make Vultur’s latest update even more dangerous as it’s more difficult than ever to detect.
Utilizing legitimate apps like McAfee Security also enables the malware to masquerade its malicious actions. The modified version — which looks like a legitimate app, with the same icons, and user interface and even contains some of the original app code — but in addition contains malware code that can attack users.
Then there’s the question of payloads — previous versions of the Brunhilda dropper delivered Vultur through a single payload, but Vultur is now dropped by the latest variant in three layers. The new dropper is a modified version of the legitimate McAfee Security app, and it retains the official app's functionality, giving it a low detection rate among users.
Google released a statement addressing concerns over the malware, stating that “Google Play Protect can warn users or block apps known to exhibit malicious behavior, even when those apps come from sources outside of Play.”
But, to put it bluntly, that’s not good enough — and it’s certainly not a problem solved, unfortunately for all involved. This is where reputable mobile security apps come in, offering an extra layer of protection against malware like Vultur.
