Learn more about Vultur, the Android banking trojan, and what it takes to protect your banking app.
Banking trojan Vultur has been observed targeting banks in the Nordics according to first-hand reports received by Promon. First discovered in 2021, Vultur malware targets Android users by posing as a security app, with the ultimate aim of harvesting sensitive user data from banking apps.
Originally, Vultur worked as a straightforward overlay attack, which is easily thwarted with the right security tools in place. However, its creators upgraded the malware in 2024 with several new features, including advanced detection evasion, improved anti-analysis, and upgraded remote control capabilities. With the overall number of victims estimated to be over 30,000, understanding how Vultur works and how to secure your mobile banking app is essential to protect your customers from harm.
How Vultur works
While the traditional banking trojan relies on users typing their credentials into what they believe is a legitimate banking app, Vultur uses an alternative technique: abuse of accessibility services. In its latest generation, Android users are targeted through an SMS message alerting them to an unauthorized banking transaction, directing them to call a phone number for assistance. On the call, the scammer sends another SMS message instructing them to install a fake version of the McAfee Security app from the Google Play Store which is actually a Brunhilda dropper. Once installed, the malware decrypts and executes three payloads (two APKs and a DEX file), establishing a connection to the Command-and-Control (C2) server and giving the threat actors control of accessibility services for remote access via AlphaVNC and ngrok.
"Vultur's recent developments have shown a shift in focus towards maximizing remote control over infected devices." NCC Group researcher Joshua Kamp said in a report published on the banking trojan’s new developments.
Assess your security risks and get started with app shielding.
Download our guide to the OWASP Mobile Top 10 and app shielding.
What Vultur can do
Boasting seven new C&C methods, Vultur can click, scroll, and swipe, as well as block apps from running, displaying custom HTML retrieved through the vnc.blocked.packages C2 method or a “Temporarily Unavailable” message to the user.
Other uses include bypassing the lock screen by disabling the keyguard to gain unrestricted device access, and file management actions that can download, upload, delete, install, and find files. With these tools, sensitive information such as passwords and login details are obtained and funds can be taken from the victim’s bank account.
Why this matters
New detection evasion and obfuscation techniques, such as AES encryption and static app scanning (i.e. encrypting parts of the app and downloading commands, amongst other functions) make Vultur’s latest update even more dangerous as it’s more difficult than ever to detect.
Utilizing legitimate apps like McAfee Security also enables the malware to masquerade its malicious actions. The modified version — which looks like a legitimate app, with the same icons, and user interface and even contains some of the original app code — but in addition contains malware code that can attack users.
Then there’s the question of payloads — previous versions of the Brunhilda dropper delivered Vultur through a single payload, but Vultur is now dropped by the latest variant in three layers. The new dropper is a modified version of the legitimate McAfee Security app, and it retains the official app's functionality, giving it a low detection rate among users.
Google released a statement addressing concerns over the malware, stating that “Google Play Protect can warn users or block apps known to exhibit malicious behavior, even when those apps come from sources outside of Play.”
But, to put it bluntly, that’s not good enough — and it’s certainly not a problem solved, unfortunately for all involved. This is where reputable mobile security apps come in, offering an extra layer of protection against malware like Vultur.
How Promon SHIELD protects against Vultur
SHIELD offers several layers of protection against this kind of attack.
The first protection layer in SHIELD is screen reader protection. This protection directly blocks the broadcasting of the accessibility node information, preventing malware from accessing information about the app screens.
The second protection layer in SHIELD is the prevention of injecting inputs. Even though the malware doesn’t have information about what to inject or where to inject it, it can technically inject random clicks into random places. The emulated input detection is an additional feature offered by Shield. This is enabled through checkEmulatedInput and blockEmulatedInput. This will block the accessibility service input injection, and also inputs coming from potential remote access tools. Teamviewer is an example of a legitimate remote access tool, and Vultur has a similar feature. Therefore, enabling this option will also block these remote access tools.
With these protections, Promon SHIELD can successfully mitigate the risks of Vultur and protect banking customers from fraud.
How does app shielding address your mobile app security risks?
Download our OWASP Top 10 checklist to find out.