The Nigeria Computer Emergency Response Team (ngCERT) has issued a critical alert to Nigerians over a raging cybersecurity threat targeting Android devices.
This new version of the so-called Vultur Trojan has infiltrated over 800 apps on the Google Play Store, resulting in the compromise of numerous Android devices, according to ngCERT, which coordinates incident response and mitigation strategies to proactively prevent cyberattacks in Nigeria’s cyberspace.
ngCERT said that the identified virus is a new variant of the Vultur banking Trojan posing as security, authenticator, or productivity apps. This malicious software aims to steal sensitive data and gain total control over compromised Android devices.
This new version of the so-called Vultur Trojan has infiltrated over 800 apps on the Google Play Store, resulting in the compromise of numerous Android devices, according to ngCERT, which coordinates incident response and mitigation strategies to proactively prevent cyberattacks in Nigeria’s cyberspace.
The alert indicated that this new version of the Vultur Trojan has infiltrated over 800 apps on the Google Play Store, resulting in the compromise of numerous Android devices. The updated malware boasts advanced remote-control capabilities and an improved evasion mechanism, allowing attackers to remotely interact with mobile devices and harvest sensitive data, ngCERT warned.
The attack vector typically begins with victims receiving SMS messages notifying them of unauthorised transactions and instructing them to call a provided number for assistance. When victims follow these instructions, they are connected to fraudsters who persuade them to click on a link received in a subsequent SMS message.
Clicking on the malicious link directs victims to a fraudulent website offering fake versions of security apps such as McAfee or other apps like My Finances Tracker, RecoverFiles, Zetter Authenticator, among others. Once installed, these fake apps decrypt and execute three Vultur-related payloads (two APKs and a DEX file) that gain access to Accessibility Services, initialize remote-control systems, and establish a connection with the command and control (C2) server, according to the alert.
In a second infection chain, the malware is observed to be distributed via trojanized dropper apps on the Google Play Store, masquerading as authenticator and productivity apps to trick unsuspecting users into installing them. The dropper-framework known as Brunhilda is utilized to deploy the Vultur malware.
ngCERT on consequences of infection of Android devices:
–Remotely interact with the infected device, including carrying out clicks, scrolls, and swipes through Android’s accessibility services, as well as download, upload, delete, install, and find files on the device.
–Steal sensitive financial information to carry out transactions on the victim’s devices.
–Use services to prevent victims from deleting the malicious app via traditional measures. Specifically, whenever the user tries to access the app details screen in the Android settings, Vultur automatically clicks the back button, blocking the user from accessing the uninstall button.
–Prevent users from interacting with legitimate applications on the device, as defined in a list provided by the attacker.
Solution and Mitigation:
To protect against the Android security threat, ngCERT advised Android users should take these steps:
1. Avoid calling numbers provided in unsolicited messages or emails.
2. Exercise caution with links in messages or emails, especially those related to financial transactions.
3. Install apps only from trusted sources like the Google Play Store.
4. Keep Android devices and apps updated to the latest versions.
5. Utilize antivirus software and keep it updated to detect and remove malware.
6. Regularly review financial transactions for any unauthorised activity and report it promptly.
By following these guidelines, users can mitigate the risk of falling victim to this sophisticated Android malware and protect their devices and sensitive information from exploitation, according to ngCERT which advised users to stay vigilant and prioritize cybersecurity to safeguard against evolving threats in the digital world.
