Security News > 2021 > July > New Android Malware Uses VNC to Spy and Steal Passwords from Victims
A previously undocumented Android-based remote access trojan has been found to use screen recording features to steal sensitive information on the device, including banking credentials, and open the door for on-device fraud.
"For the first time we are seeing an Android banking trojan that has screen recording and keylogging as the main strategy to harvest login credentials in an automated and scalable way," researchers from ThreatFabric said in a write-up shared with The Hacker News.
While banking malware such as MysteryBot, Grandoreiro, Banker.
BR, and Vizom have traditionally relied on overlay attacks - i.e., creating a false version of the bank's login page and overlaying it on top of the legitimate app - to trick victims into revealing their passwords and other important private information, evidence is mounting that threat actors are pivoting away from this approach.
Vultur adopts a similar tactic in that it takes advantage of accessibility permissions to capture keystrokes and leverages VNC's screen recording feature to stealthily log all activities on the phone, thus obviating the need to register a new device and making it difficult for banks to detect fraud.
What's more, the malware employs ngrok, a cross-platform utility used to expose local servers behind NATs and firewalls to the public internet over secure tunnels, to provide remote access to the VNC server running locally on the phone.
News URL
Related news
- Pakistan-linked Malware Campaign Evolves to Target Windows, Android, and macOS (source)
- Singapore Police Extradites Malaysians Linked to Android Malware Fraud (source)
- New Medusa malware variants target Android users in seven countries (source)
- Snowblind malware abuses Android security feature to bypass security (source)