Security News > 2021 > July > Android Banking Trojan 'Vultur' Abusing Accessibility Services
A newly discovered Android banking Trojan relies on screen recording and keylogging instead of HTML overlays for the capturing of login credentials, according to security researchers at ThreatFabric.
ThreatFabric said the mobile malware leverages the Accessibility Services to identify the application running in the foreground and, if the app is in the target list, the malware starts screen recording.
While it is not unusual for Android banking Trojans to leverage the Accessibility Services to conduct nefarious operations, they usually employ HTML overlays to trick users into revealing their login credentials.
The malware also abuses the Accessibility Services to log all the keys that the user presses on the screen, as well as to prevent the victim from deleting the malware through manual uninstallation.
Vultur targets various banking applications, mainly focusing on users in Australia, Italy, and Spain.
According to ThreatFabric, the Vultur campaign appears linked to Brunhilda, a privately operated dropper that previously delivered Alien, a variant of the Cerberus banking malware that was observed in Google Play several months ago.