April 1, 2024 at 02:15AM
The Android banking trojan Vultur has reappeared with enhanced features and sophisticated tactics to avoid detection, allowing remote manipulation and data harvesting. Distribution involves trojanized apps and a dropper-as-a-service operation. A similar transition was observed with the Octo trojan, offering advanced features and infecting thousands of devices, primarily in specific regions. Additionally, a new campaign in India distributes malicious APK packages to steal banking and confidential information from victims’ devices.
Based on the meeting notes, the key takeaways are:
1. The Android banking trojan Vultur has reappeared with enhanced features and improved anti-analysis and detection evasion techniques, allowing remote interaction with mobile devices to harvest sensitive data.
2. Vultur is utilizing techniques such as encrypting its C2 communication, using multiple encrypted payloads, and masquerading as legitimate applications for malicious actions. It is being distributed through trojanized dropper apps on the Google Play Store, posing as authenticator and productivity apps.
3. Observations by NCC Group show that Vultur’s attack chains involve the distribution of droppers via SMS messages and phone calls, known as the telephone-oriented attack delivery (TOAD) technique, ultimately serving an updated version of the malware.
4. Vultur’s recent developments focus on maximizing remote control over infected devices, including issuing commands for scrolling, swipe gestures, clicks, volume control, app blocking, and file manager functionality.
5. Additionally, the Octo (aka Coper) Android banking trojan has transitioned to a malware-as-a-service operation, offering advanced features such as keylogging, interception of messages and notifications, control over the device’s screen, and remote access capabilities.
6. Octo campaigns have reportedly compromised 45,000 devices, primarily in Portugal, Spain, Turkey, and the U.S., with other victims located in France, the Netherlands, Canada, India, and Japan.
7. Lastly, a new campaign targeting Android users in India has been identified, distributing malicious APK packages posing as online booking, billing, and courier services, with a focus on stealing banking information, SMS messages, and other confidential data from victims’ devices.
These takeaways provide a comprehensive view of the current landscape of Android banking trojans and the evolving tactics they employ.