This Vultur app takes malicious to the next level

As if IT needs more reminders that apps in app stores may not be secure, a Netherlands security firm has found a new Android dropper app dubbed Vultur. It offers, and delivers, legitimate functionality, then shifts into malicious mode when it detects financial activities.

mobile banking / financial network security / secure transactions/ bank card / credit card
Natalya Burova / Getty Images

A Netherlands security research firm has uncovered a new Android dropper app, dubbed Vultur, that delivers legitimate functionality, then silently shifts into malicious mode when it detects banking and other financial activities.

Vultur, found by ThreatFabric, is a keylogger that captures financial institution credentials by piggybacking  on the current banking session and stealing funds right away — invisibly. And just in case the victim realizes what is happening, it locks down the screen.

(Note: Always have your bank's phone number so that a direct call to a local branch might save your money — and keep the number on paper. If it's on your phone and the phone is locked, you're out of luck.)

"Vultur is able to monitor applications that are launched and start screen recording/keylogging once targeted application is launched," according to ThreatFabric. "Besides that, screen recording is launched every time the device is unlocked to capture PIN-code/graphic password used to unlock device. Analysts tested the Vultur capabilities on a real device and can confirm that Vultur successfully records a video of entering PIN-code/graphic password when unlocking device and entering credentials in the targeted banking application."

According to the ThreatFabric report, "Vultur uses droppers posing as some additional tools, like MFA authenticators, located in official Google Play Store as a main distribution way, therefore, it is hard for endusers to distinguish malicious applications. Once installed, Vultur will hide its icon and request Accessibility Service privileges to perform its malicious activity. Being provided with these privileges, Vultur also activates self-defensing mechanism that makes it hard to uninstall it: if victim tries to uninstall trojan or disable Accessibility Service privileges, Vultur will close Android Settings menu to prevent it."

It's worth noting that using biometrics to log in to a financial app — common these days on both Android and iOS – is an excellent move. In this situation, though, it won't help here as the app piggybacks on the live session. Biometric info is less useful to the app the next time (hopefully) _ and it won't help you fend off  the current attack.

ThreatFabric did offer three suggestions for getting out of Vultur's grip. "One, boot the phone into safe mode, preventing the malware from running" and then try and uninstall the app. "Two, use ADB (Android Debug Bridge) to connect to the device via USB and run the command {code}adb uninstall <malware_package_name>{code}. Or perform a factory reset."

Beyond the fact that these steps require a big clean-up to return to the phone's prior usable state, it also requires the victim to know the name of the malicious app. That may not be easy to determine, unless the victim downloads very few apps that are not well-known.

As I suggested in a recent column, the best defense is to have all end users only install apps that IT has pre-approved. And if a user finds a new desired app, submit it to IT, and wait for an approval. (OK, you can stop laughing now.) No matter what policy says, most users are going to install what they want, when they want it. This is true on a corporate-owned device as much as for a BYOD device owned by the worker.

Further complicating this mess is that users tend to implicitly trust apps offered in an official manner through Google and Apple. Although it is absolutely true that both mobile OS firms need to, and can, do far more to screen apps, the sad truth may be that today's volume of new apps may make such efforts ineffective or even futile.

Consider Vultur. Even ThreatFabric's CEO, Cengiz Han Sahin, said that he doubts either Apple nor Google could have blocked Vultur — regardless of the number of security analysts and machine learning tools deployed.

"I think they (Google and Apple) are doing their best. This is just too difficult to detect, even with all the [machine learning] and all the new toys they have to detect these threats," Sahin said in aninterview. "They have chosen to be an open platform and these are the consequences."

A key part of the detection problem is that the criminals behind these droppers truly deliver proper functionality, before the app turns malicious. Therefore, someone testing the app would likely just find that it is doing what it promises. To find the nefarious aspects, a system or person would have to carefully examine all of the code. "The malware doesn't really become malware until the actor decides to do something malicious," Sahin said.

It would also help if financial institutions did a bit more to help. Payment cards (debit and credit) do an impressive job of flagging and pausing any transactions that appear to be a deviation from the norm. Why can't those same financial institutions perform similar checks for all online money transfers?

This brings us back to IT. There have to be consequences for users who disregard IT policy. Relying on the suggestions cited for removing Vultur, also means a definite possibility of data loss. What if it's enterprise data that is lost? What if that data loss requires the team to redo hours of work? What if it delays the delivery of something owed to a customer? Is it right for the line-of-business budget to take a hit when it was caused by an employee or contractor violating policy?

Evan Schuman has covered IT issues for a lot longer than he'll ever admit. The founding editor of retail technology site StorefrontBacktalk, he's been a columnist for CBSNews.com, RetailWeek, Computerworld and eWeek. Evan can be reached at eschuman@thecontentfirm.com and he can be followed at twitter.com/eschuman.

Copyright © 2021 IDG Communications, Inc.