Vultur Malware on Android Devices – 12 points you must know

Threat Fabric has published a research report on its blog. The security research firm has stated that a new malware – Vultur has the potential to cause major threats for Android users, who make use of Banking apps and websites for online banking. Below, we present the main points that you must be aware of about this new threat coming out in the online Banking world.

1. Vultur is a malware that affects Android users. It affects Android mobile phone users, and also the tablet users.

2. The malware uses legitimate technology of VNC to target Banking users that make use of Android phones to conduct online banking transactions.

3. At the heart of the malware activity is the use of a dropper -Brunhilda. This dropper is used through an app to install on an Android device. The dropper is used by legitimate Android apps and 2FA authenticators. One of the compromised apps was downloaded from the Google Play Store over 5,000 times. However, it is estimated that the dropper would have already been installed through the apps on over 30,000 devices worldwide. The affected or compromised app was removed from the Google Play Store.

4. The two compromised apps on the Google Play Store are

Protection Guard with a package name of com.appsmastersafey and SHA signature – f4d7e9ec4eda034c29b8d73d479084658858f56e67909c2ffedf9223d7ca9bd2
Authenticator 2FA with a package name of and the SHA signature of 7ca6989ccfb0ad0571aef7b263125410a5037976f41e17ee7c022097f827bd74

5. Vultur makes use of screen recording and key logging feature to capture Banking information, login and password details of the user. These details are, subsequently, shared with remote servers. As and when the user tries to make use of a Banking application, the malware initiates the screen recording and key logging to capture private and sensitive data related to the user’s Bank account.

6. Once installed on the Android device, the malware uses Accessibility Services to block all attempts to uninstall it. Further, it makes use of the accessibility services to target specific commands for malware action of screen recording and logging the keys data of the Android user.

7. This malware, currently, affects Banking users in Italy, Australia, Spain, Netherlands, and United Kingdom. Besides, it targets crypto users as well. Look at the graph pulled in from the Threat Fabric site that lays out the current impact of the Vultur malware across different countries.

Graph of impacted countries - Vultur malware
Graph of impacted countries – Vultur malware – Report source –

8. As of now, no incident of the Vultur malware has been reported from India.

9. How would a user know if his mobile phone has been compromised with the malware – Vultur. Since the malware captures or creates a screen recording, look for the icon of casting on the screen. If you notice a ‘cast’ icon on the Android phone screen, it implies that the phone is being tracked and screen shots are being shared with a remote server.

Also, look for the ‘Protection Guard’ app name in the notification panel. If you see the Protection Guard in the notification panel of your phone, your phone is compromised and the screen is being recorded by the malware and shared remotely. Look at the image below to see how the ‘Protection Guard’ manifests in the notification panel of the phone.

Notification panel of Android mobile that shows ‘Protection Guard’ app – gateway of the Vultur malware

10. A full list of Banking applications that are a target of the screen recording are:

Package NameApplication Label Mobile Banking
org.westpac.bankWestpac Mobile Banking Mobile Banking
com.bendigobank.mobileBendigo Bank Bank Australia Banking Australia AMRO Wallet App Bankieren
it.ingdirect.appING Italia
com.bankofqueensland.boqBOQ Mobile AMP Bank
com.fusion.bankingBank Australia app of Melbourne Mobile Banking
org.stgeorge.bankSt.George Mobile Banking Mobile Banking Australia
com.virginmoney.cardsVirgin Money Credit Card
org.banksa.bankBankSA Mobile Banking Cassa di Risparmio
com.latuabancaperandroid.pgIntesa Sanpaolo Business Private Banking
com.ria.moneytransferRia Money Transfer – Send Money Online Anywhere Private Banking
it.cedacri.hb2.bpbari[email protected]
it.relaxbankingRelaxBanking Mobile
com.sella.BancaSellaBanca Sella
it.caitalia.apphubCrédit Agricole Italia
com.unicreditMobile Banking UniCredit
com.latuabancaperandroidIntesa Sanpaolo Mobile
posteitaliane.posteapp.appbpolBancoPosta MPS
it.nogood.containerUBI Banca Mobile Banking
it.gruppobper.smartbpercardSmart BPER Card Mobile My Money
it.icbpi.mobileNexi Pay
com.VBSmartPhoneAppBankUp Mobile
it.carigeCarige Mobile
it.volksbank.androidVolksbank · Banca Popolare
net.inverline.bancosabadell.officelocator.androidBanco Sabadell App. Your mobile bank
es.liberbank.cajasturappBanca Digital Liberbank
com.bankinter.launcherBankinter Móvil Spain
es.cecabank.ealia2103appstoreUniPay Unicaja
com.db.pbc.mibancoMi Banco db
com.grupocajamar.wefferentGrupo Cajamar
es.bancosantander.empresasSantander Empresas
app.wizink.esWiZink, tu banco senZillo
com.imaginbank.appsImagin. Much more than an app to manage your money
com.bendigobank.mobileBendigo Bank minor US financial institution Banco Mobile
com.grupocajamar.wefferentGrupo Cajamar
es.unicajabanco.appUnicaja Banco
com.binance.devBinance – Buy & Sell Bitcoin Securely
com.coinbase.androidCoinbase – Buy & Sell Bitcoin. Crypto Wallet
com.coinbase.proCoinbase Pro – Bitcoin & Crypto Trading
com.coinbase.walliteCoinbase Wallet Lite
org.toshiCoinbase Wallet — Crypto Wallet & DApp Browser l DeFi Wallet – Buy Bitcoin Now
piuk.blockchain.androidBlockchain Wallet. Bitcoin, Bitcoin Cash, Ethereum
com.wallet.crypto.trustappTrust: Crypto & Bitcoin Wallet
exodusmovement.exodusExodus: Crypto Bitcoin Wallet
io.atomicwalletBitcoin Wallet & Ethereum Ripple ZIL DOT
com.coinomi.walletCoinomi Wallet :: Bitcoin Ethereum Altcoins Tokens
com.krakenfuturesKraken Futures: Bitcoin & Crypto Futures Trading
com.kraken.tradePro: Advanced Bitcoin & Crypto Trading
com.kraken.invest.appKraken – Buy Bitcoin & Crypto Cryptocurrency Exchange
net.bitstamp.appBitstamp – Buy & Sell Bitcoin at Crypto Exchange
com.etoro.walleteToro Money
com.kubi.kucoinKuCoin: Bitcoin Exchange & Crypto Wallet
com.bittrex.tradeBittrex Global
com.plunien.poloniexPoloniex Crypto Exchange
com.hittechsexpertlimited.hitbtcHitBTC – Bitcoin Trading and Crypto Exchange
com.paxful.walletPaxful Bitcoin Wallet
com.cryptonator.androidCryptonator cryptocurrency wallet

A full list of Banking applications that are a target of keylogging are:

Package NameApplication Label
com.whatsappWhatsApp Messenger
com.viber.voipViber Messenger – Messages, Group Chats & Calls
com.zhiliaoapp.musicallyTikTok – Make Your Day
com.facebook.orcaMessenger – Text and Video Chat for Free
com.facebook.liteFacebook Lite

12. How could users protect against this malware?

The simplest way to help protect yourself against the Vultur malware is to install a good anti-virus and anti-malware on your Android device.

For the Banks and Financial institutions, it may be a good idea to work with professional security companies like the Threat Fabric to implement a robust threat discovery and remediation process to continuously protect their apps on the Android platform.