A new report by ThreatFabric discusses the recent Vultur malware, primarily used as a banking trojan on Android devices. Vultur continues two trends recently documented by Threat Watch. While currently used as a banking trojan, Vultur is in a fact a full Remote Access Trojan (RAT) granting complete access and control over a successfully infected device. In addition, Vulture uses a Virtual Network Computing (VNC) server to directly connect and record user actions on a device, instead of false login screens or other logging and strategies. Activity was most concentrated on cryptocurrency wallets and Italian, Spanish, and Australian banking institutions. Attacks occur via downloads of putative apps via the Google Play store; ThreatFabric has found some evidence of a connection between Vultur and the so-called Brunhilda dropper framework for Google Play Store, and proposes these are developed by the same malware group.
Work from home (WFH) and Bring Your Own Device (BYOD) policies create risks for the enterprise environment if individual phones are threatened by targeted malware infection. Threat actors can attempt to pivot over wi-fi networks and establish persistence on misconfigured or vulnerable enterprise networks, or simply use direct access to the Android device to read sensitive work email and shared documents from the company. In addition, with RAT granting full control over the phone, this is a possibility that such access may be resold or licensed to other specialized threat actors for such purposes. Cybersecurity awareness education to guide end users in avoiding untrustworthy apps or apps with limited distribution is essential. Mobile Device Management (MDM), Network Access Control solutions, conditional access policies, and Identity and Access Management (IAM) are all essential technical and administrative controls for reducing this risks, as is a defense in depth strategy that includes Managed Detection and Response (MDR) and proactive threat hunting.