Android Malware Vultur Expands Its Wingspan

Vultur, an Android banking trojan delivered via the Brunhilda dropper, now uses a three-stage payload chain, AES/Base64-encrypted C2 over HTTPS, native-code decryption and Firebase Cloud Messaging-driven Accessibility Services to perform extensive remote control (clicks, swipes, file manager, app blocking, screen recording). The threat modifies legitimate apps (e.g., McAfee) and uses AlphaVNC/ngrok alongside new FCM commands and C2 methods to evade detection and expand functionality. #Vultur #Brunhilda #AlphaVNC #ngrok #McAfee #FirebaseCloudMessaging

Keypoints

Attackers deliver Vultur via a trojanised “McAfee” dropper (Brunhilda) using a social‑engineering SMS + phone‑call flow to trick victims into installing the dropper.
Brunhilda decrypts and installs three Vultur payloads (two APKs + one DEX) where payloads #2 and #3 interoperate to provide core functionality.
Vultur added 7 new C2 methods and 41 new FCM commands to enable remote control via Android Accessibility Services (clicks, swipes, gestures, volume control, app blocking, unlocking, file management, screen recording).
C2 communication now uses AES encryption and Base64 encoding over HTTPS (JSON‑RPC 2.0), and many payloads use native code to decrypt embedded binaries to hinder analysis.
Malware hides as legitimate apps (modded McAfee, uses Android Accessibility Suite package name), fragments malicious code across multiple payloads, and stores config in encrypted SharedPreferences.
Vultur retains AlphaVNC + ngrok remote access while adding FCM-triggered RAT commands, plus file upload/download endpoints for exfiltration and payload delivery.

MITRE Techniques

[T1566] Phishing – Social engineering using SMS and a phone call to coerce the victim into installing the trojanised app: ‘hybrid attack using both SMS and a phone call.’
[T1204] User Execution – Victim interaction to install a trojanised McAfee app (Brunhilda dropper): ‘instructs the victim into installing a trojanised version of the McAfee Security app from a link.’
[T1219] Remote Services – Use of AlphaVNC and ngrok to maintain interactive remote access to infected devices: ‘remote access functionality using AlphaVNC and ngrok.’
[T1105] Ingress Tool Transfer – Downloading additional components and tools (ngrok, payload files) from C2 endpoints: ‘Endpoint for downloading the relevant version of ngrok’ and ‘Endpoint for downloading a file specified by the payload.’
[T1071.001] Application Layer Protocol: HTTPS – C2 uses JSON‑RPC over HTTPS with AES encrypted and Base64 encoded payloads: ‘JSON-RPC 2.0 over HTTPS’ and ‘AES encryption and Base64 encoding for its C2 communication.’
[T1027] Obfuscated Files or Information – Use of native code, multiple encrypted payloads and AES/Base64 to hide strings and payloads: ‘using native code in order to decrypt payloads’ and ‘spreading malicious code over multiple payloads.’
[T1036] Masquerading – Modifying legitimate applications and reusing legitimate package names to avoid detection: ‘modified version of the legitimate McAfee Security app’ and ‘uses the official Android Accessibility Suite package name.’
[T1056.001] Input Capture: Keylogging – Collecting keystrokes from targeted banking apps: ‘Sends the keystrokes that were obtained via keylogging.’
[T1113] Screen Capture – Screen recording and capture capability included in Vultur to harvest UI content: ‘one of the first Android banking malware families to include screen recording capabilities.’

Indicators of Compromise

[File hash] analysed samples – edef007f1ca60fdf75a7d5c5ffe09f1fc3fb560153633ec18c5ddb46cc75ea21 (Brunhilda dropper), 7f1a344d8141e75c69a3c5cf61197f1d4b5038053fd777a68589ecdb29168e0c (Vultur payload #3), and many other hashes.
[Package name] observed app identifiers – com.wsandroid.suite (modded McAfee dropper), se.accessibility.app (Vultur payload #1).
[Domain/C2] command-and-control servers – safetyfactor[.]online, cloudmiracle[.]store, and FCM endpoints flandria171[.]appspot[.]com (FCM), newyan-1e09d[.]appspot[.]com (FCM).
[Endpoints] C2 API paths – /ejr/ (JSON‑RPC C2 registration), /upload/ (file upload for screen recordings), and /version/app/?filename=ngrok (ngrok downloads).
[Dropper URLs] distribution hosts – mcafee[.]960232[.]com, mcafee[.]353934[.]com (examples of multiple mcafee.* domains used to host the trojanised dropper).

Vultur’s technical procedure condensed: attackers send an initial SMS prompting a phone call, then deliver a trojanised McAfee app (Brunhilda) via a second SMS link. Brunhilda registers with the C2 (/ejr/) and decrypts three embedded payloads (two APKs + one DEX) using native‑implemented AES decryption; decryption keys are derived from substrings of embedded strings (examples: key QWNMWkVQN21ucmNi → QWNMWkVQN21ucmNi and Y29QYnRPR1k1STRB). Payload #1 obtains Accessibility Service privileges by loading C2-provided HTML in a WebView and prompting the user; it then installs payload #2.

Payload #2 sets up AlphaVNC and ngrok, implements Accessibility Service (masquerading as com.google.android.marvin.talkback), manages screen recording, and decrypts payload #3 (a.int → AES/CFB/NoPadding with key SBhXcwoAiLTNIyLK). Payload #3 (DEX) contains core C2 methods and FCM command handlers; payloads #2 and #3 interinvoke functions, enabling features like file manager (download/upload/install/delete/find), blocking specified apps with custom HTML templates, keylogging, snapshot reporting, and screen recording upload via /upload/.

Communications and evasion: all JSON‑RPC requests and responses are AES encrypted and Base64 encoded over HTTPS (to /ejr/), FCM is used to push 41+ command IDs (e.g., start/stop VNC, clicks, swipes, unlock, request_accessibility, file manager commands), and the dropper uses legitimate package names and encrypted SharedPreferences to hide configuration. Combined native decryption, payload fragmentation, and HTTPS/AES encoding increase analysis complexity and reduce static detection.