Skip to main content

This Android malware records your screen — what you can do

Green skull on smartphone screen.
(Image credit: Shutterstock)

A nasty Android Trojan targeting banking, social-media and cryptocurrency apps steals your information the old-fashioned way: It records everything happening on your phone's screen.

The malware, dubbed "Vultur" by researchers at Amsterdam-based information-security firm ThreatFabric, targets the apps of banks in Australia, Italy, Spain, the Netherlands and the U.K.; social-media apps including Facebook, WhatsApp and TikTok; and cryptocurrency apps from Binance, Coinbase and others.

Vultur is installed on Android phones by a "dropper" called Brunhilda, which is present in several fitness, phone-security and authentication apps, some of which have been found in the Google Play store. The infected apps work as the user expects, but behind the scenes, Brunhilda reaches out to malware servers and downloads Vultur (or other malware).

One infected app called Protection Guard had more than 5,000 installations before it was removed from Google Play. ThreatFabric estimates that 30,000 phones may have been infected by Brunhilda. Regarding Vultur specifically, ThreatFabric's report said "we estimate the number of potential victims to be in the thousands."

Most Android banking Trojans steal user login credentials by creating "overlays," fake login screens that look like they belong to widely used online-banking apps. But Vultur takes another approach: It uses remote-access technology to simply record everything the owner of an infected phone does when certain apps are being used. It also uses a keylogger to capture user inputs that aren't visible on screen.

The recordings are transmitted to servers run by the criminals operating Vultur, who then can play back screen recordings of unwitting victims logging into and using Facebook, accessing their bank accounts or making cryptocurrency trades. Combined with the keylogging data, this gives the criminals a walk-through of each potential victims going about routine business.

Vultur does all this by abusing Accessibility Services, a function in Android that's meant to help users with visual or auditory impairments, or users who may not be able to see the screen. For example, Accessibility Services lets one app read out what's on another app's screen. 

But because it gives apps unusual access to one another, far beyond what's normally permitted by Android, Accessibility Services is often abused by information-stealing malware. Vultur even uses the function to hijack the screen if the user tries to delete the infected app — it immediately presses the Back button.

Users can stop Vultur (and many other banking Trojans) dead in its tracks by denying the infected app permission to use Accessibility Services. As Vultur often arrives in the form of an app that really doesn't need Accessibility Services, this shouldn't always be difficult to detect. 

You can also detect Vulture, ThreatFabric says, because when it's transmitting data to its command-and-control server, the active "casting" icon will show up in the Android notifications. If you're not casting something and the icon shows up anyway, that's reason to worry. 

Another way is to install and use one of the best Android antivirus apps. Brunhilda is a known threat, and most antivirus apps will detect it right away; Vultur should be added to the list soon if it isn't there already.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.