Mobile phones, 09.11.2022, 11:00 AM
Android banking Trojan Vultur has reached more than 100,000 total downloads on the Google Play Store, according to a new the report cyber security experts from the Cleafy company who have noticed an increase in the number of Vultur malware infections among their users in the last two months.
The dropper discovered by Cleafy in the Google Play Store in early October was hiding behind a fake utility app. Because of its relatively limited permissions, it looked like a legitimate app and was able to bypass antivirus apps and protect the Google Play Store.
“While most banking Trojans are distributed through phishing campaigns, cybercriminals also use official app stores to deliver their malware using dropper apps, which are apps designed to download malware onto a target device,” explained the Cleafy team.
One of the primary reasons cybercriminals resort to this tactic is to reach more potential victims and make the scam more likely to succeed.
“Furthermore, because these droppers are hidden behind utility applications and come from a trusted source, they can mislead even ‘experienced’ users,” warns Cleafy.
Experts from Threat Fabric recently warned about droppers that install Vultur.
Once installed, the dropper uses advanced detection evasion techniques, including steganography, file deletion and code obfuscation, in addition to multiple checks before downloading the malware.
“Once the banking trojan (Vultur) is downloaded and installed via a fake update, threat actors can observe everything that happens on infected devices and commit banking fraud through ATO attacks (account takeover attacks),” Cleafy explained.
According to security experts, the Vultur campaigns show that cybercriminals are constantly improving their techniques to remain undetected.
“At the same time, using official app stores to deliver banking Trojans to reach more potential victims is a new trend that is gaining traction,” Cleafy said. “We expect to see new sophisticated banking campaigns in official stores in the coming months.”
The report published by Cleafy includes a list of Indicators of Compromise (IoC) for Vultur malware infections.