New Android Malware Uses VNC To Spy and Steal Passwords From Victims (thehackernews.com) 15
A previously undocumented Android-based remote access trojan (RAT) has been found to use screen recording features to steal sensitive information on the device, including banking credentials, and open the door for on-device fraud. The Hacker News reports: Dubbed "Vultur" due to its use of Virtual Network Computing (VNC)'s remote screen-sharing technology to gain full visibility on targeted users, the mobile malware was distributed via the official Google Play Store and masqueraded as an app named "Protection Guard," attracting over 5,000 installations. Banking and crypto-wallet apps from entities located in Italy, Australia, and Spain were the primary targets. "For the first time we are seeing an Android banking trojan that has screen recording and keylogging as the main strategy to harvest login credentials in an automated and scalable way," researchers from ThreatFabric said in a write-up shared with The Hacker News. "The actors chose to steer away from the common HTML overlay development we usually see in other Android banking Trojans: this approach usually requires a larger time and effort investment from the actors to create multiple overlays capable of tricking the user. Instead, they chose to simply record what is shown on the screen, effectively obtaining the same end result."
Vultur [...] takes advantage of accessibility permissions to capture keystrokes and leverages VNC's screen recording feature to stealthily log all activities on the phone, thus obviating the need to register a new device and making it difficult for banks to detect fraud. What's more, the malware employs ngrok, a cross-platform utility used to expose local servers behind NATs and firewalls to the public internet over secure tunnels, to provide remote access to the VNC server running locally on the phone. Additionally, it also establishes connections with a command-and-control (C2) server to receive commands over Firebase Cloud Messaging (FCM), the results of which, including extracted data and screen captures, are then transmitted back to the server.
ThreatFabric's investigation also connected Vultur with another well-known piece of malicious software named Brunhilda, a dropper that utilizes the Play Store to distribute different kinds of malware in what's called a "dropper-as-a-service" (DaaS) operation, citing overlaps in the source code and C2 infrastructure used to facilitate attacks. These ties, the Amsterdam-based cybersecurity services company said, indicate Brunhilda to be a privately operating threat actor that has its own dropper and proprietary RAT Vultur.
Vultur [...] takes advantage of accessibility permissions to capture keystrokes and leverages VNC's screen recording feature to stealthily log all activities on the phone, thus obviating the need to register a new device and making it difficult for banks to detect fraud. What's more, the malware employs ngrok, a cross-platform utility used to expose local servers behind NATs and firewalls to the public internet over secure tunnels, to provide remote access to the VNC server running locally on the phone. Additionally, it also establishes connections with a command-and-control (C2) server to receive commands over Firebase Cloud Messaging (FCM), the results of which, including extracted data and screen captures, are then transmitted back to the server.
ThreatFabric's investigation also connected Vultur with another well-known piece of malicious software named Brunhilda, a dropper that utilizes the Play Store to distribute different kinds of malware in what's called a "dropper-as-a-service" (DaaS) operation, citing overlaps in the source code and C2 infrastructure used to facilitate attacks. These ties, the Amsterdam-based cybersecurity services company said, indicate Brunhilda to be a privately operating threat actor that has its own dropper and proprietary RAT Vultur.
Dupe (Score:3)
I've always wanted to be the first to say dup. Bet I'm still not. Lol
Re: Dupe (Score:3)
What on earth's going on with Android? (Score:3)
That's two serious VNC exploits in one week!
Re: (Score:1)
The difference between you and the editors is that you actually read this site before posting.
Re: (Score:2)
Re: (Score:1)
Portable loopholes. (Score:3)
Almost makes one want to go back to a feature phone, but people wanted a portable computer and we all know how secure those are.
Re: (Score:2)
They're as secure as the operating system and user want them to be. The Android operating system is designed firstly to deliver adverts and secondly to report user activity to a third party. Technically users can opt-out of this but since that avoids 90% percent of free stuff, the user's choices are pay for some privacy or avoid most of the software on Google Play. Most users choose neither.
Re: (Score:1)
Re: (Score:2)
New Android malware needs user action to work (Score:2)
So, a total non-story.
They should've launched an android vnc server that (Score:3)
They would probably have made way more money just launching a free or cheap android vnc server (not client) that works reliably and on all devices !
Currently teamviewer host (that's the server) works ok'ish on 5-6 android phones while 1-2 open source vnc servers need a lot of fiddling to work sporadically and not on all phones
Even Samsung flow would mirror your phone screen to other phones or laptops after lot of issues. 2-3 paid vnc-servers have all got weird limitations.
In fact Microsoft Link or 'Your Phone' (name keeps changing) is the only reliable option I have found but it insists on routing all calls to my laptop speaker compulsorily.
And t can't run unobtrusively like you have vnc servers running on laptops on windows or linux.
Also it doesn't go over the 4G network reliably even though it claims to.
Teamviewer does go nicely over 4G etc but keeps kicking me out saying I am using it commercially. I just keep it installed in 5-6 devices - I hardly connect n use it more than 1-2 days a month.
Rant of the Day (Score:2)
"We consider Global Layer B.V. to be a potentially very high fraud risk ISP, by which we mean that web traffic from this ISP potentially poses a very high risk of being fraudulent. Other types of traffic may pose a different risk or no risk. They operate 32,222 IP addresses, almost all of which are running anonymizing VPNs, servers, and public proxies. They manage IP addresses for organisations including Fine Group Servers Solutions LLC, Traf