This notorious Android banking trojan now lets hackers remotely control your phone — how to stay safe

A picture of a skull and bones on a smartphone depicting malware
(Image credit: Shutterstock)

Hackers have a new tool in their arsenal as one of the most advanced Android banking trojans has just been upgraded with new features that let it remotely control infected devices.

First discovered by the security firm ThreatFabric back in 2021, Vultur was one of the first banking trojans that could record the screen of infected Android smartphones. In the years since, its creators have updated this Android malware to make it even more dangerous.

As reported by SecurityWeek, new technical features have been added to Vultur and the malware is now even better at evading detection too. While it was initially distributed using malicious apps on the Google Play Store, security researchers at the NCC Group recently observed a brand new campaign which uses a novel distribution method to trick unsuspecting users into installing this malware on the best Android phones.

Here’s everything you need to know about the Vultur banking trojan along with some tips and tricks on how you can avoid having your phone hijacked by hackers.

Infecting victims with a hybrid attack

A person holding a phone near a laptop, representing an article about how to set up a Wi-Fi hotspot on Android

(Image credit: Shutterstock)

Instead of infecting users through malicious apps, this new campaign uses a hybrid attack which starts with a text message and is then followed by a phone call and yet another text message.

In its report, NCC Group’s security researchers explain that this hybrid attack begins with a text message that instructs potential victims to call a number if they didn’t authorize a large transaction from their bank account. While this transaction never actually took place, the message creates a sense of urgency which might be enough to trick users into calling the number.

If they do call to inquire about the large transaction, a second text message is sent during the call. It contains a link to a trojanized version of a McAfee Security app which they are coerced into installing on their smartphone. The app itself appears legitimate at first glance but it actually contains the Brunhilda dropper which is then used to download the Vultur banking trojan.

The malware is downloaded in three separate payloads which are combined on the targeted Android smartphone. Once installed, the hackers behind this campaign gain complete control over an infected device.

A more dangerous Vultur

A hacker typing quickly on a keyboard

(Image credit: Shutterstock)

The Vultur banking trojan was dangerous enough when it was first observed but now, it has even more features that hackers can use in their attacks.

For instance, the malware can download, upload, delete, install and find files on an infected Android smartphone but it can also prevent apps from running in the first place. Likewise, it can display a custom notification in the status bar and even disable Keyguard which allows it to bypass your lock screen. However, the new remote control capabilities are by far the most interesting.

Although Vultur still uses AlphaVNC and ngrok for remote access functionality like it did back in 2021, a hacker can now send commands to an infected smartphone to perform scrolls, swipe gestures, clicks, mute/unmute the device’s audio and more.

Just like with other Android malware strains, Vultur abuses the operating system’s Accessibility Services to gain even more control over an infected device. The cybercriminals behind this banking trojan are also leveraging Google’s own Firebase Cloud Messaging (FCM) service to send messages from a command and control (C2) server they control to an infected phone.

Normally, hackers need to have an ongoing connection with an infected device in order to control it. By using FCM though, they can send a command even if their connection to the device is lost. AlphaVNC and ngrok still require an ongoing remote connection but this new feature adds more flexibility while making things easier for hackers that have deployed this malware in their attacks.

The newly added file manager functionality also gives hackers more control over infected Android smartphones since they can take existing files off of the device as well as upload new ones to use in additional attacks.

How to stay safe from Android malware

A hand holding a phone securely logging in

(Image credit: Google)

Although I would usually tell you to steer clear from Android apps with poor ratings and to avoid sideloading apps if you want to stay safe from malware, this campaign is a bit different.

It’s more like a phishing attack since it starts with an urgent message from an unknown sender. In cases like this, you need to keep a level head and avoid letting your emotions get the best of you. Instead of responding to the message immediately or even at all, what you should do first is to check your bank accounts to see if this large transaction actually happened. This would reveal that it didn’t and you could safely ignore the message.

At the same time, you never want to call hackers back on the phone when they provide you with a number, either by text or email. Automated email security checks now prevent many of their messages from getting through which is why hackers have begun trying to trick users into calling them. It’s a lot easier to convince someone to do something they may not necessarily want to do when you’re talking with them on the phone.

To protect yourself from trojanized apps like the one used in this attack, you should ensure that Google Play Protect is installed and enabled on your Android smartphone. These days though, most Android phones come with it pre-installed. For extra protection, you should also consider using one of the best Android antivirus apps as they’re updated more frequently and many of them include extra security features like a VPN or a password manager.

In an email to Tom's Guide, aGoogle spokesperson provided further insight on how the search giant is working to keep Android users safe from the Vultur malware, saying:

"Android users are automatically protected against known versions of this malware by Google Play Protect, which is on by default on Android devices with Google Play Services. Google Play Protect can warn users or block apps known to exhibit malicious behavior, even when those apps come from sources outside of Play."

As Google and other companies get better at fending off attacks like this one, hackers will continue to devise new ways to trick you into installing malware on your smartphone. This is why you need to be extra careful when installing any new app while avoiding ones you have to manually install at all costs.

More from Tom's Guide

Anthony Spadafora
Senior Editor Security and Networking

Anthony Spadafora is the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to password managers and the best way to cover your whole home or business with Wi-Fi. Before joining the team, he wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home.