Summary:
The latest updates to Vultur introduce several significant changes, including enhanced remote control capabilities and the addition of new features. One notable addition is the malware's utilization of Android's Accessibility Services, allowing for remote interaction with infected devices through commands sent via Firebase Cloud Messaging (FCM). This enables the malware operator to perform various actions such as clicks, scrolls, swipe gestures, and more, without the need for a continuous connection.

Additionally, Vultur now includes a file manager feature, providing the actor(s) with greater control over infected devices. This feature allows for the download, upload, deletion, installation, and location of files. Another intriguing feature is the ability to block the victim from interacting with certain apps on their device. The malware operator can specify a list of apps to block, and upon detection, the malware will press back and display custom HTML code or a default message.

Furthermore, Vultur has implemented new obfuscation and detection evasion techniques, including AES encrypted and Base64 encoded HTTPS traffic, and the use of legitimate package names to masquerade malicious actions. The execution flow of Vultur involves multiple layers, with the malware being delivered through a modified version of the legitimate McAfee Security app. Each layer performs specific functions, such as registering with the C2 server, obtaining Accessibility Service privileges, and installing subsequent payloads.

Security Officer Comments: Of particular concern is Vultur's ability to remotely interact with infected devices without the need for a continuous connection, enhancing its stealth and persistence. This poses a serious threat to users' privacy and security, as malicious actors can execute a range of actions, including file manipulation and app blocking, with unprecedented ease.

Suggested Corrections:
To mitigate the threat posed by Vultur and similar Android malware, organizations should implement a multi-layered approach to cybersecurity. This includes deploying strong endpoint protection solutions capable of detecting and blocking malicious apps, regularly updating and patching devices to address known vulnerabilities, and educating users about the risks of downloading apps from untrusted sources.

Link(s):
https://research.nccgroup.com/2024/03/28/android-malware-vultur-expands-its-wingspan/