Vultur¶
Vultur is an Android banking trojan that pioneered real-time screen streaming over VNC as its primary credential-theft mechanism, deliberately avoiding the overlay injection approach used by every other banking trojan at the time. Discovered by ThreatFabric in March 2021, Vultur uses AlphaVNC for screen recording and ngrok for tunneling the VNC connection through NATs and firewalls. Its 2024 update added extensive accessibility-based remote control, file management, and app blocking capabilities, while maintaining the VNC core. Distribution relies on the Brunhilda dropper-as-a-service (DaaS) operation and, more recently, TOAD (telephone-oriented attack delivery) combining smishing with voice phishing.
Overview¶
| Attribute | Details |
|---|---|
| First Seen | March 2021 |
| Status | Active (2024 update) |
| Type | Banking trojan, RAT, screen streaming |
| Aliases | None widely used |
| Attribution | Distributed via Brunhilda DaaS; operator unknown |
| Distribution | Google Play (Brunhilda droppers), smishing + TOAD |
Origin and Lineage¶
ThreatFabric discovered Vultur in late March 2021 and named it for the "full visibility" it grants operators over victim devices through VNC. At the time, every Android banking trojan relied on overlay injection as the primary credential-theft technique. Vultur broke this pattern by recording the screen in real time, capturing whatever the user typed into any app without needing app-specific inject templates.
Vultur has no known code-level relationship to other banking trojan families. Its connection to the Brunhilda dropper operation provides the distribution layer: ThreatFabric documented Brunhilda as a DaaS that places trojanized utility apps on Google Play to deliver various banking trojan payloads, including Vultur.
NCC Group's Fox-IT published an updated analysis in March 2024 documenting a significant new version with expanded remote control capabilities, encrypted payloads, and a shift toward TOAD-based distribution.
Distribution¶
Brunhilda Droppers (2021-2023)¶
Vultur's primary distribution channel has been the Brunhilda DaaS, which places dropper apps on Google Play disguised as authenticator tools, productivity apps, and fitness trackers.
| Date | Dropper Disguise | Installs | Source |
|---|---|---|---|
| 2021 | Authenticator, fitness apps | 5,000+ | ThreatFabric |
| 2022 | Various utility apps | Thousands | ThreatFabric |
TOAD Distribution (2024)¶
The 2024 version shifted to a social engineering chain combining SMS and voice calls:
- Victim receives an SMS about an unauthorized transaction
- SMS instructs the victim to call a provided number
- A human operator (the attacker) answers and persuades the victim to "secure their account"
- A second SMS arrives with a download link
- The link serves a trojanized McAfee Security app containing the Vultur payload
Fox-IT documented this TOAD chain, noting the McAfee impersonation and the multi-stage social engineering as a significant evolution from passive Play Store dropper distribution.
Capabilities¶
Version Evolution¶
| Version | Period | Key Capabilities |
|---|---|---|
| v1 | March 2021 | AlphaVNC screen streaming, ngrok tunneling, accessibility keylogging |
| v2 (2024 update) | March 2024 | All v1 + accessibility remote control, file manager, app blocking, encrypted C2, encrypted payloads |
v1 Core (Screen Streaming)¶
| Capability | Implementation |
|---|---|
| Screen recording | AlphaVNC server running on-device |
| Remote tunneling | ngrok exposes VNC server through NAT/firewall |
| Keylogging | Accessibility service captures text input events |
| Target detection | Accessibility monitors foreground app, starts recording when target opens |
| SMS interception | Reads incoming SMS for 2FA codes |
The VNC approach means Vultur captures credentials from any app, not just those with pre-built overlay templates. When the accessibility service detects a target app in the foreground, Vultur starts a VNC recording session. The operator watches the session in real time through the ngrok tunnel.
v2 Additions (2024)¶
Fox-IT's analysis documented 7 new C2 methods and 41 new Firebase Cloud Messaging (FCM) commands in the updated version:
| Capability | Implementation |
|---|---|
| Accessibility remote control | Taps, scrolls, swipes via accessibility service (supplements VNC) |
| File manager | Download, upload, delete, find, install files |
| App blocking | Prevent specified apps from launching |
| Keyguard control | Disable device lock screen |
| Custom notifications | Display attacker-crafted notifications to lure user interaction |
| Encrypted C2 | AES-encrypted command and control communication |
| Multi-payload loading | Three payloads (2 APKs + 1 DEX) decoded and loaded sequentially |
The 2024 version retains AlphaVNC and ngrok but adds accessibility-based remote interaction as a parallel control mechanism. This gives operators two modes: passive observation through VNC streaming and active device manipulation through accessibility commands.
Technical Details¶
AlphaVNC Integration¶
Vultur embeds a real VNC server implementation taken from the AlphaVNC project. The VNC server runs as a background service, capturing the device screen and serving it over a local VNC port.
ngrok Tunneling¶
Since the VNC server is bound to localhost on the infected device, the malware uses ngrok to create a tunnel:
- Vultur starts the AlphaVNC server on a local port
- ngrok client connects to ngrok's relay infrastructure
- The relay assigns a public endpoint that forwards traffic to the local VNC port
- The operator connects to the public ngrok endpoint with a VNC client
This avoids the need for the device to have a public IP or for the C2 to handle VNC relay directly.
C2 Communication¶
v1:
| Component | Details |
|---|---|
| Protocol | HTTPS for commands, ngrok for VNC |
| Bot registration | Device info, installed apps, country code sent at registration |
| Commands | Start/stop recording, keylogger toggle, SMS interception config |
v2 (2024):
| Component | Details |
|---|---|
| Protocol | HTTPS with AES encryption |
| Push channel | Firebase Cloud Messaging (41 commands) |
| C2 methods | 7 new methods for file operations, app blocking, notification control |
| Payload delivery | 3-stage: 2 APKs + 1 DEX file, each encrypted |
| Obfuscation | Multiple encrypted payloads decrypted at runtime, legitimate app disguise |
Payload Structure (v2)¶
The 2024 dropper (McAfee Security impersonation) executes three payloads in sequence:
- First APK: Registers the bot with C2, establishes initial communication
- Second APK: Obtains accessibility service permissions, sets up AlphaVNC and ngrok
- DEX file: Provides additional commands, fetched and executed from C2
Target Regions and Financial Institutions¶
| Region | Details |
|---|---|
| Italy | Largest number of targeted banking apps |
| Australia | Second-highest target concentration |
| Spain | Significant banking app targeting |
| UK | Added in later campaigns |
Vultur's VNC-based approach means any app on the device is effectively a target, since the operator sees exactly what the user sees. The formal "target list" determines when recording sessions start automatically, but operators can initiate recording at any time.
Notable Campaigns¶
March 2021: ThreatFabric disclosed Vultur as the first Android banking trojan to use VNC-based screen recording instead of overlay injection. Initial campaigns targeted Italian, Australian, and Spanish banks, distributed through Brunhilda dropper apps on Google Play with 5,000+ installs.
November 2021: ThreatFabric documented the Brunhilda dropper ecosystem, identifying Vultur as one of multiple banking trojans delivered through the DaaS operation alongside Alien and other families.
2022-2023: Vultur maintained steady operations through Brunhilda droppers on Google Play. Multiple dropper apps were identified and removed in successive rounds, with the operators consistently uploading new variants.
March 2024: NCC Group's Fox-IT published detailed analysis of Vultur's major update. The new version added 7 C2 methods, 41 FCM commands, file management, app blocking, and encrypted communications. Distribution shifted to TOAD: a smishing + voice phishing chain delivering a trojanized McAfee Security app.
April 2024: Bleeping Computer reported on the McAfee impersonation campaign, noting the sophistication of the TOAD delivery chain where human operators guided victims through the installation process.