Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Android Privacy Security

New Android Malware Uses VNC To Spy and Steal Passwords From Victims (thehackernews.com) 15

A previously undocumented Android-based remote access trojan (RAT) has been found to use screen recording features to steal sensitive information on the device, including banking credentials, and open the door for on-device fraud. The Hacker News reports: Dubbed "Vultur" due to its use of Virtual Network Computing (VNC)'s remote screen-sharing technology to gain full visibility on targeted users, the mobile malware was distributed via the official Google Play Store and masqueraded as an app named "Protection Guard," attracting over 5,000 installations. Banking and crypto-wallet apps from entities located in Italy, Australia, and Spain were the primary targets. "For the first time we are seeing an Android banking trojan that has screen recording and keylogging as the main strategy to harvest login credentials in an automated and scalable way," researchers from ThreatFabric said in a write-up shared with The Hacker News. "The actors chose to steer away from the common HTML overlay development we usually see in other Android banking Trojans: this approach usually requires a larger time and effort investment from the actors to create multiple overlays capable of tricking the user. Instead, they chose to simply record what is shown on the screen, effectively obtaining the same end result."

Vultur [...] takes advantage of accessibility permissions to capture keystrokes and leverages VNC's screen recording feature to stealthily log all activities on the phone, thus obviating the need to register a new device and making it difficult for banks to detect fraud. What's more, the malware employs ngrok, a cross-platform utility used to expose local servers behind NATs and firewalls to the public internet over secure tunnels, to provide remote access to the VNC server running locally on the phone. Additionally, it also establishes connections with a command-and-control (C2) server to receive commands over Firebase Cloud Messaging (FCM), the results of which, including extracted data and screen captures, are then transmitted back to the server.

ThreatFabric's investigation also connected Vultur with another well-known piece of malicious software named Brunhilda, a dropper that utilizes the Play Store to distribute different kinds of malware in what's called a "dropper-as-a-service" (DaaS) operation, citing overlaps in the source code and C2 infrastructure used to facilitate attacks. These ties, the Amsterdam-based cybersecurity services company said, indicate Brunhilda to be a privately operating threat actor that has its own dropper and proprietary RAT Vultur.

This discussion has been archived. No new comments can be posted.

New Android Malware Uses VNC To Spy and Steal Passwords From Victims

Comments Filter:
  • by yeshuawatso ( 1774190 ) on Friday July 30, 2021 @09:11PM (#61640693) Journal

    I've always wanted to be the first to say dup. Bet I'm still not. Lol

  • by 93 Escort Wagon ( 326346 ) on Friday July 30, 2021 @09:16PM (#61640701)

    That's two serious VNC exploits in one week!

    • by Anonymous Coward

      The difference between you and the editors is that you actually read this site before posting.

    • VNC tech is highly popular these days.
      • It's popular with the malware crowd. Kind of like how they predicted X would be. But why write your own terminal when you can just copy/paste one?
  • by Ostracus ( 1354233 ) on Friday July 30, 2021 @10:34PM (#61640797) Journal

    Almost makes one want to go back to a feature phone, but people wanted a portable computer and we all know how secure those are.

    • ... we all know how secure those are.

      They're as secure as the operating system and user want them to be. The Android operating system is designed firstly to deliver adverts and secondly to report user activity to a third party. Technically users can opt-out of this but since that avoids 90% percent of free stuff, the user's choices are pay for some privacy or avoid most of the software on Google Play. Most users choose neither.

      • Can't blame the users on this one.... Switched networks as a rule don't tolerate remote shells through virtual terminals. All the talk of how SS7 is sooo insecure but with no/not many end user exploits.
    • Why? Every single app that uses the screen recording asks if you want to stream your screen. If you're stupid enough to say yes to the "Click yes if you want to expose your passwords and sensitive information" prompt, then you deserve to get attacked. The phrasing is literally that: https://sendbird.com/wp-conten... [sendbird.com]
  • ‘*Dubbed "Vultur" due to its use of Virtual Network Computing (VNC)'s remote screen-sharing technology to gain full visibility on targeted users, the mobile malware was distributed via the official Google Play Store and masqueraded as an app named "Protection Guard,"

    So, a total non-story.
  • They would probably have made way more money just launching a free or cheap android vnc server (not client) that works reliably and on all devices !

    Currently teamviewer host (that's the server) works ok'ish on 5-6 android phones while 1-2 open source vnc servers need a lot of fiddling to work sporadically and not on all phones

    Even Samsung flow would mirror your phone screen to other phones or laptops after lot of issues. 2-3 paid vnc-servers have all got weird limitations.

    In fact Microsoft Link or 'Your Phone' (name keeps changing) is the only reliable option I have found but it insists on routing all calls to my laptop speaker compulsorily.
    And t can't run unobtrusively like you have vnc servers running on laptops on windows or linux.
    Also it doesn't go over the 4G network reliably even though it claims to.

    Teamviewer does go nicely over 4G etc but keeps kicking me out saying I am using it commercially. I just keep it installed in 5-6 devices - I hardly connect n use it more than 1-2 days a month.

  • Seems like a good spot to dump some info ... from scamalytics..

    "We consider Global Layer B.V. to be a potentially very high fraud risk ISP, by which we mean that web traffic from this ISP potentially poses a very high risk of being fraudulent. Other types of traffic may pose a different risk or no risk. They operate 32,222 IP addresses, almost all of which are running anonymizing VPNs, servers, and public proxies. They manage IP addresses for organisations including Fine Group Servers Solutions LLC, Traf

You know you've landed gear-up when it takes full power to taxi.

Working...