Go to listing page

Vultur and Oscorp Android Banking Trojans Taking a Toll on Users

Vultur and Oscorp Android Banking Trojans Taking a Toll on Users
Researchers have discovered new waves of banking trojans targeting Android smartphone users. The latest ones identified are Vultur and Oscorp trojans. Both the Trojans are targeting banking apps to steal login credentials and other information.

What is Vultur up to? 

According to ThreatFabric researchers, the majority of apps targeted by the Vultur trojan are related to banks based in Italy, Spain, and Australia. In addition to this, Vultur is suspected to be connected with a dropper framework known as Brunhilda.
  • Researchers identified two dropper applications related to Vultur, one of which has been downloaded more than 5,000 times from the Google Play store. 
  • It leverages ngrok to gain remote access to the VNC server used by the device and abuses Android’s Accessibility Services to find out what application is running in the foreground.
  • If an application name matches with the list of apps targeted by Vultur, it starts a screen recording session. Moreover, it appears in the notification panel named as Protection Guard app.
  • In addition, the Android baking trojan abuses Accessibility Services to log all keys pressed on the screen (keylogging) and prevent manual uninstallation of the applications by the user.

About Oscorp

Around the same time, researchers from Cleafy systems have identified another malware - Oscorp. Attackers here are using fake bank operators to trick victims over the phone.
  • This malware has the ability to intercept, delete, or send SMS and make phone calls, perform overlay attacks on more than 150 mobile applications, and perform keylogging.
  • The malware allows attackers to remotely connect via using WebRTC protocol. It also abuses Android Accessibility Services.
  • Moreover, Oscorp trojan has a connection with UBEL (an Android botnet), wherein the same ‘bot id’ string format with initial RZ substring is found along with random alphanumeric characters.

Conclusion

Vultur and Oscorp attempt to gain full remote access to the infected device and perform unauthorized bank transfers. Both the malware abuse Android Accessibility Services to stay undetected and perform malicious tasks, indicating malware developers are getting advanced in developing new malware as well as updating existing ones.

Cyware Publisher

Publisher

Cyware