A trojanized version of the McAfee Security app is installing the Android banking Trojan “Vultur,” according to researchers at Fox-IT. The attackers are spreading links to the malicious app via text messages and phone calls.
“In order to deceive unsuspecting individuals into installing malware, the threat actors employ a hybrid attack using two SMS messages and a phone call,” the researchers write. “First, the victim receives an SMS message that instructs them to call a number if they did not authorize a transaction involving a large amount of money. In reality, this transaction never occurred, but it creates a false sense of urgency to trick the victim into acting quickly.”
If a victim calls the phone number, they’ll receive another text with a link to a malicious version of the McAfee Security app, which will install the Vultur malware.
“A second SMS is sent during the phone call, where the victim is instructed into installing a trojanized version of the McAfee Security app from a link,” Fox-IT says.
“This application is actually Brunhilda dropper, which looks benign to the victim as it contains functionality that the original McAfee Security app would have. As illustrated below, this dropper decrypts and executes a total of 3 Vultur-related payloads, giving the threat actors total control over the victim’s mobile device.”
The researchers note that this version of Vultur has new features that make it harder to detect.
“The most intriguing addition is the malware’s ability to remotely interact with the infected device through the use of Android’s Accessibility Services,” the researchers write.
“The malware operator can now send commands in order to perform clicks, scrolls, swipe gestures, and more. Firebase Cloud Messaging (FCM), a messaging service provided by Google, is used for sending messages from the C2 server to the infected device. The message sent by the malware operator through FCM can contain a command, which, upon receipt, triggers the execution of corresponding functionality within the malware. This eliminates the need for an ongoing connection with the device.”
KnowBe4 empowers your workforce to make smarter security decisions every day. Over 65,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.
Fox-IT has the story.
Here's how it works:
