David García Sep 30, 2021 2 min read

Vultur: Theft of Credentials through the Accessibility Event Log together with the Recording of the Infected Device's Screen

Researchers at ThreatFabric detected a new Remote Access Trojan (RAT) for Android used to steal banking credentials from its victims.

To do so, it logs what happens on the device's screen while also logging the events that occur on the interface (keylogging for Android).

The use of this credential theft strategy is a new development compared to the vast majority of banking trojans that we can find today. Most of them, as we have already mentioned on previous occasions, use a strategy based on displaying windows that overlap the window of the legitimate banking application (overlays).

In addition to the new development related to the credential theft strategy used by this family of banking malware, ThreatFabric researchers claim to have found certain connections with Brunhilda, a dropper used in different Android malware samples.

Brunhilda is a DaaS (Dropper as a Service) used by different malware families, and which shares a unique characteristic with Vultur, thus suggesting that the actors behind the development of both could be the same.

As for the countries and banks affected by this new banker, we can find European countries (Spain and Italy) and Australia. We will probably see new versions in the future in which new countries and entities are added.

Download the full report here.


David García

In his more than 9-year professional career, he has been involved in multiple projects, the most important being in the fields of managed security, anti-fraud and ethical hacking services, and malware analysis. He has contributed his know-how and security-related improvements to a wide variety of fraud and vulnerability analysis products. He currently oversees the smooth running of our different products and researches current fraud developments in order to showcase buguroo overseas as well as providing the development department with feedback on the latest malware and cybercriminal trends.