When it was first discovered three years ago, Vultur abused legitimate software products to gain remote access to infected devices. It relied on a dropper (helper program to install malware on a device) called Brunhilda. Brunhilda has previously been used in many Google Play apps to spread malware.
The more powerful version of Vulture isn’t being distributed through the Google Play Store. It uses Android’s Accessibility Services for more advanced remote control capabilities.
The cybercriminals behind the malware are using a social engineering technique to get people to install it.
The victim gets an SMS message that asks them to call a number if they didn’t initiate a transaction involving a lot of money. That’s just a ploy to create a fall sense of urgency as in reality, there wasn’t any transaction to begin with.
After the victim calls the number, they are sent another SMS that contains a link to an app that resembles the McAfee Security app but is actually the Brunhilda dropper. Since the dropper functions like the McAfee Security app, the victim gets the impression that it’s harmless.
Once the malware is on a victim’s phone, the threat actors gain total control over their smartphone. They can remotely carry out a range of activities, including:
- Install and delete files
- Perform actions like scrolling, swiping, clicking, and muting or unmuting audio
- Stop apps from running
- Display a notification
- Record a screen
- Keyboard capturing
- Steal credentials
Banking apps are the primary targets of Vultur.
Vultur is the last thing anyone would want on their phone and like many unwelcome things in life, this nightmare starts with a text. If you don’t want to be a victim, don’t lose your marbles if you get an SMS about an authorized transaction.