Keypoints
- Vultur’s latest campaign uses smishing plus phone calls to socially engineer victims into installing a trojanized McAfee Security app.
- The trojanized app contains the Brunhilda dropper, which decrypts and executes three payloads (two APKs and a DEX) after installation.
- Post‑install behavior includes gaining Accessibility Services, initializing remote control via AlphaVNC and ngrok, screen recording, and keylogging for real‑time account theft.
- New capabilities include file management (download/upload/delete/install/search), UI manipulation (blocking apps, custom HTML or “Temporarily Unavailable” screens), custom notifications, and disabling the Keyguard to bypass lock screens.
- Evasion features: encrypted C2 communications (AES + Base64), multiple encrypted payloads decrypted on demand, and native‑code decryption to hinder reverse engineering and detection.
- Zimperium noted Vultur variants targeted 122 banking apps across 15 countries, indicating broad and active targeting of mobile banking ecosystems.
- Recommended mitigations include installing apps only from trusted stores, scrutinizing app permissions, and avoiding clicking links in unsolicited messages.
MITRE Techniques
- [T1566.002] Phishing: Link – The campaign starts with an SMS and phone call that prompt the victim to open a link; (‘victim receiving an SMS message alerting of an unauthorized transaction and instructing to call a provided number’)
- [T1204.002] User Execution: Malicious Link – The attacker persuades the victim during a call to open a second SMS link that directs to a site offering a modified McAfee app; (‘call… persuades the victim to open the link arriving with a second SMS, which directs to a site that offers a modified version of the McAfee Security app’)
- [T1105] Ingress Tool Transfer – The installed trojan decrypts and executes additional components (two APKs and a DEX) delivered by the dropper; (‘the app decrypts and executes three Vultur-related payloads (two APKs and a DEX file)’)
- [T1056.001] Input Capture: Keylogging – The malware captures keystrokes to harvest credentials; (‘such as screen recording, keylogging, and remote access via AlphaVNC and ngrok’)
- [T1113] Screen Capture – Vultur records the device screen to monitor victim activity and steal information; (‘such as screen recording… allowing attackers real-time monitoring and control’)
- [T1021] Remote Services – The trojan provides remote access and control using AlphaVNC and tunneling (ngrok) for real‑time interaction with infected devices; (‘remote access via AlphaVNC and ngrok, allowing attackers real-time monitoring and control’)
- [T1071.001] Application Layer Protocol: Web Protocols – C2 traffic is sent as encrypted POST requests using AES + Base64 to conceal command and control communications; (‘encrypting its C2 communications (AES + Base64)’)
- [T1027] Obfuscated Files or Information – The malware uses native code and on‑the‑fly decryption of multiple encrypted payloads to hinder analysis and detection; (‘uses native code to decrypt the payload, which makes the reverse engineering process more difficult’)
Indicators of Compromise
- [Malicious app / Dropper] trojanized app and dropper – ‘McAfee Security’ (trojanized installer), ‘Brunhilda’ dropper
- [Remote access tools / services] used for control – AlphaVNC, ngrok
- [Payload artifacts] executed components – two APKs and a DEX file deployed and decrypted on install (no filenames provided)
- [Communication pattern] encrypted C2 – AES + Base64 encrypted POST requests observed (no domains or IPs disclosed)
- [Targets / scope] targeted apps and regions – variants targeted ‘122 banking apps in 15 countries’ (no specific bank names listed)
Vultur’s infection chain begins with social engineering via SMS and a phone call: victims receive a fake unauthorized‑transaction alert, are told to call a number, and then are coaxed to open a follow‑up SMS link. That link serves a trojanized McAfee Security installer which embeds the Brunhilda dropper; once executed, the dropper decrypts and loads three payloads (two APKs and a DEX) that request Accessibility privileges, initialize remote control subsystems, and connect back to C2 infrastructure.
After gaining Accessibility Services, the malware enables extensive remote control and data capture: screen recording, keylogging, AlphaVNC/ngrok‑based remote sessions, and granular device interaction (clicks, scrolling, swipes, volume control). It also implements file management capabilities (download/upload/delete/install/search), can block selected apps by showing custom HTML or “Temporarily Unavailable” messages, post custom notifications to the status bar, and disable the Keyguard to bypass the lock screen.
To evade detection and complicate analysis, Vultur encrypts C2 traffic (AES + Base64), ships multiple encrypted payloads decrypted at runtime, and leverages native‑code decryption routines. These measures, combined with rapid feature additions and UI‑level manipulation, increase stealth and persistence on infected devices; defenders should restrict app sources, scrutinize permissions (especially Accessibility), and avoid links in unsolicited messages.