Vultur Banking Trojan Spreading Via Fake Google Play Store App

During a routine threat hunting exercise, Cyble Research Labs came across a post by a malware researcher regarding the Vultur Android banking trojan distributed via Google Play Store. The Vultur malware is delivered as an add-on payload via a fake app called 2FA Authenticator, which over 10,000 people have downloaded. As a result of the researchers’ alert, the app has been removed from Google Play.

Researchers around March 2021 first identified the “Vultur” Android banking trojan variant. This malware variant uses screen recording functionality to monitor the targeted device using Virtual Network Computing (VNC). Additionally, VNC obtains Personally Identifiable Information (PII) such as passwords, access tokens, banking credentials, and even financial data to commit fraud. 

Furthermore, based on the threat intelligence and research from the earlier samples, it is suspected that Threat Actor (TA) Brunhilda is linked to the Vultur malware campaign. Brunhilda is a privately operated dropper that has been seen dropping Alien malware in the past.

Vultur malware variants are well-known for committing device fraud. Vultur malware is often distributed through the official Google Play Store and has two sets of features: screen recording and keylogging.

According to the analysis, the top countries targeted by these malware variants are Italy, Australia, Spain, and the United Kingdom.

Vultur takes a different approach to bank frauds than what we generally see from Android banking trojans. The typical banking trojan strategy exploits the overlay mechanism to deceive victims into disclosing their passwords and other sensitive data. However, unlike other banking trojans such as Alien and Cerberus, Vultur malware uses a technique that is less technically versatile but highly effective – screen recording via VNC.

Technical Analysis

The technical details of the downloader and the Vultur malware are as follows.

APK Metadata Information – First stage (Downloader APK)

  • App Name:  2FA Authenticator
  • Package Name: com.privacy.account.safetyapp
  • Main Activity: com.privacy.account.safetyapp.ui.MainActivity
  • SHA256 Hash: 
Figure 1 – Downloader Application Metadata Information

APK Metadata Information – Second stage (Vultur Malware App)

  • App Name:  2FA Authenticator
  • Package Name: com.creemextok
  • Main Activity: com.creemextok.MainActivity
  • SHA256 Hash: 
Figure 2 – Vultur Malware App Metadata Information

Manifest Information

First Stage (Downloader APK)

The Downloader app requests 11 different permissions, out of which it abuses 3. The app requests the user for the following harmful permissions:

CameraAllows the application to use the camera to take pictures and videos. This option enables the app to gather images captured by the camera at any time.
REQUEST_INSTALL_PACKAGESAllows the app to install applications.
SYSTEM_ALERT_WINDOWAllows the app to draw on top of other applications.

SYSTEM ALERT WINDOW – The downloader app has high-risk permission appearing in various banking trojans. This permission enables the malware to create overlay displays stealing passwords, prohibit users from accessing the device, and so on.

Apart from these three dangerous permissions, a detailed look at the other permissions that the app requests indicates that it exists to trick users into providing personal information.

The app can gain full network access by leveraging these permissions, running at startup, and disabling the screen lock or password.

Furthermore, the app would gain permission to deactivate the keyboard, query all packages, and even use biometrics, such as the user’s fingerprint data.

The application’s complete set of permissions is represented below.

Figure 3 – Permissions used by the downloader app

Second stage (Vultur Malware App)

The Vultur malware app requests 20 different permissions, out of which it abuses 6. The malware requests the user for the following harmful permissions:

READ_EXTERNAL_STORAGEAllows an application to read from external storage.
READ_PHONE_STATEAllows the application to access the phone features of the device.
SYSTEM_ALERT_WINDOWAllows the app to draw on top of other applications.
RECORD_AUDIOAllows the application to access the audio record paths.
WRITE_EXTERNAL_STORAGEAllows an application to write to external storage.
WRITE_SETTINGSAllows an application to modify the system’s settings data.

The application’s complete set of permissions is represented below.

Figure 4 – Vultur malware app Permission

Malware Behaviour

Figure 5 depicts the overall mechanism of the app that we analyzed, which consists of two stages – the downloader and the malware.

Figure 5 – Overall mechanism involved in the app we have analyzed

First Stage: Fake Authenticator Downloader

The identified app acts as a downloader, dropping an additional payload that masquerades third-party apps as updates, making it nearly impossible to detect.

While it is recommended that users only download apps from the Play Store, there is nothing users can do if the malicious app is delivered through Google’s official app gateway.

To appear authentic, the app developers implanted malicious code into the open-source code of the official Aegis authentication application. As a result, the app is effectively camouflaged as an authentication tool, allowing it to remain undetected.

The camouflaged 2FA Authenticator app requests important permissions that it does not disclose on its Google Play profile. These hidden permissions, together with the malicious code that the app executes, are:

  • Collecting and sending the list of applications used by the users, as well as their location, to the attackers so that they can use the information to carry out attacks targeted at specific individuals.
  • Disabling the keylock and password security.
  • Downloading third-party applications in the form of allegedly updated versions.
  • Attackers may freely execute actions even when the app is in a shut-off state.
  • Overlay the interface of other mobile apps using critical permission called SYSTEM_ALERT_WINDOW.

Figure 6 depicts the code that tracks the location of the user’s device.

Figure 6 – Code to track device location using GPS

The code for installing a new wake lock to activate the user’s phone screen is shown in Figure 7, which prevents the device from going off-state.

Figure 7 – Installing new wake lock using Power Manager API

Additionally, the downloader app queries the list of installed packages from the user’s device, shown in Figure 8.

Figure 8 – Collects the list of installed packages

Google advises that very few applications should utilize SYSTEM_ALERT_WINDOW permission since these windows are designed for system-level interaction with the user. Figure 9 depicts the code functionality to add an overlay to other apps.

Figure 9 – Code to create an overlay over to other apps

Finally, the code for downloading the second payload was identified upon a deep-dive analysis. Unfortunately, since the Command and Control (C&C) server was already down during our analysis, we were unable to retrieve the second stage payload from the C&C server. Regardless, we were able to get this information via our OSINT research.

Figure 10 shares the code that downloads the additional payload from the C&C server.

Figure 10 – Code to download additional payload from C2 server

Second Stage: Vultur Banking Trojan

Like most banking trojans, Vultur malware makes extensive use of Accessibility Services. When the malware is launched, it hides its app icon, post which the malware proceeds to abuse Accessibility Services to get all the required permissions to operate effectively. Also, the application asks for the Accessibility Service access while displaying a WebView overlay as seen in other malware families such as Alien banking malware.

Accessibility Event service is initiated when a new event is triggered. The malware checks the source of the event with one of the keylogging targets (apps) from the app list. If the triggered event matches an app on the list, Accessibility Services are used to keeps records of everything the user types.

Figure 11 depicts the code used for keylogging functionality using the Accessibility Event service.

Figure 11 – Keylogging functionality using Accessibility Service

Accessibility Services also prevent users from using the Settings menu to uninstall the app from the targeted device. When users attempt to uninstall by going to the Settings screen, the malware’s bot instantly redirects users to the main screen, denying them access to the removal option.

After hiding the application icon, the malware uses VNC to launch the Screen Recording functionality. VNC is a software mechanism used in applications for sharing the user’s screen with remote access, and it’s widely seen in third-party software like TeamViewer.

An actual VNC implementation in Vultur malware is carried out using AlphaVNC, which is used for screen projection in Android devices through the local network.

The Vultur malware also employs a cross-platform application known as “ngrok,” which connects the TA’s local development server to the internet without using a public IP address or domain name. ngrok’s main feature is that it uses a secure channel to expose local servers behind firewalls and NAT IPs to the public internet.

AlphaVNC and ngrok are both legitimate and legal tools. Malware families such as  Vultur and other Android banking trojans exploit them to obtain PII from their victims.

Native code is used to implement the primary VNC-like functionality. The library, which is interfaced to the application via a wrapper class, contains all the features, such as the method nstart_vnc() as shown in the figure below.

Figure 12 – Code that initiates VNC Service for Screen recording

Vultur’s screen recording capability is the most significant threat that this malware is capable of performing.

Using Accessibility Services, the malware figures out which application is running in the foreground. A screen recording session will automatically begin if the application is on the list of targets.

Hint: If the user looks at the notification panel, the existence of Vultur malware may be seen projected on the screen, which can be used to identify the screen recording capability performed by malware.

By interacting with the C&C server, the Vultur malware downloads the ngork tool. The malware also communicates with the C&C server to receive commands via FirebaseCloudMessaging (FCM), in addition to the tool to get information.

The list of commands, methods, and pathways discovered in the malware that is typical in Vultur malware are listed in the table below.

C&C Methods:

vnc.registerRegistration information is sent.
vnc.statusSends VNC address and device status. 
vnc.appsSends a list of packages that have been installed.
vnc.keylogSends a log of pressed keys.
vnc.configCollects the config file of the packages for keylogging functionality.
vnc.overlay.logsSends the logs collected through the overlay.
Figure 13 – Method communications with the C2 server

FCM Commands:

registeredUpon successful registration, users will receive notifications.
startngrok is used to establish a VNC connection.
stopVNC connection is terminated by removing the address, terminating the ngrok process, and terminating the VNC service.
unlockUnlocks the screen.
deleteRemoves the malware package.
patternProvides a gesture/stroke pattern for the device to execute.
Figure 14 – FCM commands from C&C server

C&C Paths:

Path: /rpc/ – JSON-RPC endpoint for C&C communication

Figure 15 – RPC path to download from C&C Server

Path: /upload/ – POST endpoint for uploading files (e.g., screen record)

Figure 16 – Uploading screen recording files to C&C Server

Path: /version/app/?filename=ngrok&arch={arm|386} – Download the relevant ngrok version from this endpoint.

Figure 17 – Downloading corresponding ngrok tool through C&C Server

Identified C&C servers:

Downloader file: hxxps://privacyandroidapp[.]club

Vultur malware file: hxxps://letsbeapornostar[.]club


Based on the above analysis, banking trojans on mobile platforms no longer perform assaults purely based on overlay or using rented Mobility as a Service (MaaS) trojans.

Remote Access Trojans (RAT) start screen recording services by identifying foreground applications in the list of apps, as seen in the case of Vultur. This malware is evolving in tandem with the security measures used by financial institutions.

Financial institutions must improve on their mobile-first strategy with knowledge of the security landscape and prepare for the threats posed by this malware. This goal may be accomplished by developing a mobile security strategy that is threat-driven in real-time.

Our Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:  

How To Prevent Malware Infection?

  • Download and install software only from official app stores like Google Play Store or the iOS App Store.
  • Use a reputed anti-virus and internet security software package on your connected devices, such as PCs, laptops, and mobile devices.
  • Use strong passwords and enforce multi-factor authentication wherever possible.
  • Enable biometric security features such as fingerprint or facial recognition for unlocking the mobile device where possible.
  • Be wary of opening any links received via SMS or emails delivered to your phone.
  • Ensure that Google Play Protect is enabled on Android devices.
  • Be careful while enabling any permissions.
  • Keep your devices, operating systems, and applications updated.

How To Identify Whether You Are Infected?

  • Regularly check the Mobile/Wi-Fi data usage of applications installed in mobile devices.
  • Keep an eye on the alerts provided by Anti-viruses and Android OS and take necessary actions accordingly.

What To Do When You Are Infected?

  • Disable Wi-Fi/Mobile data and remove SIM card – as in some cases, the malware can re-enable the Mobile Data.
  • Perform a factory reset of the device.
  • Remove the application in case a factory reset is not possible.
  • Take a backup of personal media Files (excluding mobile applications) and perform a device reset.

What To Do In Case Of Any Fraudulent Transaction?

  • In case of a fraudulent transaction, immediately report it to the concerned bank.

What Should Banks Do To Protect Their Customers?

  • Banks and other financial entities should educate customers on safeguarding themselves from malware attacks via telephone, SMS, or email. 

MITRE ATT&CK® Techniques

Downloader APK:

TacticTechnique IDTechnique Name
Defense EvasionT1406Obfuscated Files or Information
DiscoveryT1421System Network Connections Discovery
Discovery/CollectionT1430Location Tracking
DiscoveryT1426System Information Discovery
CollectionT1507Network Information Discovery
 Command and ControlT1509Uncommonly Used Ports
 ImpactT1447Delete Device Data

Vultur Malware:

TacticTechnique IDTechnique Name
Initial AccessT1415Deliver Malicious App via Authorized App Store
Defense EvasionT1444Masquerade as Legitimate Application
CollectionT1513Screen Capture
Credential AccessT1417Input Capture (Keylogger)
Command and ControlT1509Uncommonly Used Ports

Indicators Of Compromise (IOCs)

IndicatorsIndicator TypeDescription
00a733c78f1b4d4f54cf06a0ea8cc33604512d6032ef4ef9114c89c700bfafcfSHA-256Downloader APK Sample
11558904bb5a8ae28100dd6f139f31c837411d56adfae6a0c3d4d980e7fb8953SHA-256Similar Pattern of Downloader APK Sample
1b290349c8ada90705f7e1f6aee3cc2c8fecd02163c490af37cf59a29ed24a23SHA-256Vultur Malware Sample
hxxps://privacyandroidapp[.]clubC2 URLC2 server used for downloading Vultur Malware payload
hxxps://letsbeapornostar[.]clubC2 URLC2 server of Vultur malware

Scroll to Top