Security News > 2021 > July > New Android Malware Uses VNC to Spy and Steal Passwords from Victims
A previously undocumented Android-based remote access trojan has been found to use screen recording features to steal sensitive information on the device, including banking credentials, and open the door for on-device fraud.
"For the first time we are seeing an Android banking trojan that has screen recording and keylogging as the main strategy to harvest login credentials in an automated and scalable way," researchers from ThreatFabric said in a write-up shared with The Hacker News.
While banking malware such as MysteryBot, Grandoreiro, Banker.
BR, and Vizom have traditionally relied on overlay attacks - i.e., creating a false version of the bank's login page and overlaying it on top of the legitimate app - to trick victims into revealing their passwords and other important private information, evidence is mounting that threat actors are pivoting away from this approach.
Vultur adopts a similar tactic in that it takes advantage of accessibility permissions to capture keystrokes and leverages VNC's screen recording feature to stealthily log all activities on the phone, thus obviating the need to register a new device and making it difficult for banks to detect fraud.
What's more, the malware employs ngrok, a cross-platform utility used to expose local servers behind NATs and firewalls to the public internet over secure tunnels, to provide remote access to the VNC server running locally on the phone.
News URL
Related news
- TrickMo malware steals Android PINs using fake lock screen (source)
- Russia targets Ukrainian conscripts with Windows, Android malware (source)
- Android malware "FakeCall" now reroutes bank calls to attackers (source)
- New FakeCall Malware Variant Hijacks Android Devices for Fraudulent Banking Calls (source)
- New Android Banking Malware 'ToxicPanda' Targets Users with Fraudulent Money Transfers (source)
- Cyber crooks push Android malware via letter (source)