Hacker pretends to be McAfee app on Android device

Fox-IT Researchers discovered a new version of the Vultur banking Trojan for Android, which has advanced capabilities for remote control and evasion of detection.

Vultur was first noticed back in March 2021, and at the end of 2023, Zimperium researchers included this banker in the top 10 most active Trojans for the year, noting that nine of its varieties attacked 122 banking applications in 15 countries.


As it is now Fox-IT analysts report, a new, stealthier version of Vultur is distributed to victims using a hybrid attack based on SMS phishing and phone calls. Attackers trick victims into installing malware masquerading as the McAfee Security application.

Thus, the victim receives an SMS notification of an unauthorized transaction and instructions to call the specified number for clarification. The call is, of course, answered by a scammer who convinces the user to open the link received in the second SMS and go to a site offering a modified version of the McAfee Security application. Inside this malicious application is the Brunhilda dropper.

Once installed, the application decrypts and executes three Vultur-related payloads (two APKs and a DEX file) that access Accessibility Services, launch remote access systems, and establish a connection to the attackers' command and control server.

The new version of the malware that the researchers studied retained a number of key functions (such as screen recording, keylogging and remote access via AlphaVNC and ngrok), which allows attackers to monitor and control in real time.


But the updated Vultur also has a number of new features:

  • file management, including downloading, uploading, deleting, installing and searching for files on the device;
  • using Accessibility Services to perform taps, scrolls, and swipes (researchers note that Vultur developers appear to be focused on improving remote control functionality for infected devices);
  • blocking certain applications from running on the device, displaying custom HTML or a “Temporarily Unavailable” message;
  • displaying custom notifications in the status bar to mislead the victim;
  • disabling the Keyguard feature to bypass lock screen protection and gain unrestricted access to the device.

Vultur also has new detection evasion mechanisms, including encrypting communications with the control server (AES + Base64), using multiple encrypted payloads that are decrypted on the fly if necessary, and disguising its activity as legitimate applications.