Researchers at ThreatFabric detected a new Remote Access Trojan (RAT) for Android used to steal banking credentials from its victims.
To do so, it logs what happens on the device's screen while also logging the events that occur on the interface (keylogging for Android).
The use of this credential theft strategy is a new development compared to the vast majority of banking trojans that we can find today. Most of them, as we have already mentioned on previous occasions, use a strategy based on displaying windows that overlap the window of the legitimate banking application (overlays).
In addition to the new development related to the credential theft strategy used by this family of banking malware, ThreatFabric researchers claim to have found certain connections with Brunhilda, a dropper used in different Android malware samples.
Brunhilda is a DaaS (Dropper as a Service) used by different malware families, and which shares a unique characteristic with Vultur, thus suggesting that the actors behind the development of both could be the same.
As for the countries and banks affected by this new banker, we can find European countries (Spain and Italy) and Australia. We will probably see new versions in the future in which new countries and entities are added.