Android banking Trojan relies on screen recording and keylogging instead of HTML overlays for the capturing of login credentials. Dubbed Vultur, the malware gains full visibility into the victim device through the use of the VNC implementation from AlphaVNC. Remote access to the VNC server on the device is provided through ngrok, which leverages secure tunnels to expose to the Internet endpoints located behind NATs and firewalls.

Mobile malware leverages the Accessibility Services to identify the application running in the foreground and, if the app is in the target list, the malware starts screen recording. Masquerading as an application called Protection Guard, Vultur is projecting the screen, an operation visible in the notification panel.

While it is not unusual for Android banking Trojans to leverage the Accessibility Services to conduct nefarious operations, they usually employ HTML overlays to trick users into revealing their login credentials. Vultur does employ overlay to gain access to all of the permissions it needs to run unhindered on the compromised device.

The malware also abuses the Accessibility Services to log all the keys that the user presses on the screen, as well as to prevent the victim from deleting the malware through manual uninstallation. When the user enters the app’s details screen in settings, the malware auto-clicks the back button, to bring the user back to the main screen. It focuses on European countries.

Vultur campaign appears linked to Brunhilda, a privately operated dropper that previously delivered Alien, a variant of the Cerberus banking malware that was observed in Google Play several months ago.

The Brunhilda sample associated with Vultur has over 5.000 installs – out of more than 30.000 that Brunhilda droppers are estimated to have had through Google Play and unofficial store.