This Android malware records your screen — what you can do

Green skull on smartphone screen.
(Image credit: Shutterstock)

A nasty Android Trojan targeting banking, social-media and cryptocurrency apps steals your information the old-fashioned way: It records everything happening on your phone's screen.

The malware, dubbed "Vultur" by researchers at Amsterdam-based information-security firm ThreatFabric, targets the apps of banks in Australia, Italy, Spain, the Netherlands and the U.K.; social-media apps including Facebook, WhatsApp and TikTok; and cryptocurrency apps from Binance, Coinbase and others.

Vultur is installed on Android phones by a "dropper" called Brunhilda, which is present in several fitness, phone-security and authentication apps, some of which have been found in the Google Play store. The infected apps work as the user expects, but behind the scenes, Brunhilda reaches out to malware servers and downloads Vultur (or other malware).

One infected app called Protection Guard had more than 5,000 installations before it was removed from Google Play. ThreatFabric estimates that 30,000 phones may have been infected by Brunhilda. Regarding Vultur specifically, ThreatFabric's report said "we estimate the number of potential victims to be in the thousands."

(In January 2022, Vultur appeared again — read here for more.)

Most Android banking Trojans steal user login credentials by creating "overlays," fake login screens that look like they belong to widely used online-banking apps. But Vultur takes another approach: It uses remote-access technology to simply record everything the owner of an infected phone does when certain apps are being used. It also uses a keylogger to capture user inputs that aren't visible on screen.

The recordings are transmitted to servers run by the criminals operating Vultur, who then can play back screen recordings of unwitting victims logging into and using Facebook, accessing their bank accounts or making cryptocurrency trades. Combined with the keylogging data, this gives the criminals a walk-through of each potential victims going about routine business.

Vultur does all this by abusing Accessibility Services, a function in Android that's meant to help users with visual or auditory impairments, or users who may not be able to see the screen. For example, Accessibility Services lets one app read out what's on another app's screen. 

But because it gives apps unusual access to one another, far beyond what's normally permitted by Android, Accessibility Services is often abused by information-stealing malware. Vultur even uses the function to hijack the screen if the user tries to delete the infected app — it immediately presses the Back button.

Users can stop Vultur (and many other banking Trojans) dead in its tracks by denying the infected app permission to use Accessibility Services. As Vultur often arrives in the form of an app that really doesn't need Accessibility Services, this shouldn't always be difficult to detect. 

You can also detect Vulture, ThreatFabric says, because when it's transmitting data to its command-and-control server, the active "casting" icon will show up in the Android notifications. If you're not casting something and the icon shows up anyway, that's reason to worry. 

Another way is to install and use one of the best Android antivirus apps. Brunhilda is a known threat, and most antivirus apps will detect it right away; Vultur should be added to the list soon if it isn't there already.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.

Read more
Green skull on smartphone screen.
This Android banking trojan steals passwords to take over your accounts — and all it takes is a single text message
Green skull on smartphone screen.
Malicious Android apps with 60 million installs bombarding phones with ads and phishing attacks — how to stay safe
A smartphone screen displaying the Android name and logo next to a sign reading 'MALWARE'.
Fake Google Play Store pages are spreading Trojan malware that can steal your financial data
One phone with skull and crossbones on screen among several other clean-looking phones.
Malicious iPhone apps are spreading screenshot-reading malware on the Apple App Store — how to stay safe
Mobile malware
New malware uses infected VPN apps to take over your device — here's how to stay safe
Malware
Dangerous new password-stealing trojan automatically reinstalls itself on infected PCs
Latest in Malware & Adware
Green skull on smartphone screen.
Malicious Android apps with 60 million installs bombarding phones with ads and phishing attacks — how to stay safe
Malware
Dangerous new password-stealing trojan automatically reinstalls itself on infected PCs
An FBI agent typing on a computer
FBI issues warning to millions of Americans to avoid these websites that can steal your passwords and banking info
A hacker typing quickly on a keyboard
New MassJacker malware is hijacking digital wallets to steal large sums from users
A person trying to set up a new Wi-Fi router
Thousands of TP-Link routers have been infected by a botnet to spread malware
A smartphone screen displaying the Android name and logo next to a sign reading 'MALWARE'.
Fake Google Play Store pages are spreading Trojan malware that can steal your financial data
Latest in News
Rendered images of rumored foldable iPhone.
Foldable iPhone report just revealed key details — here's what we know
NYTimes Connections
NYT Connections today hints and answers — Saturday, March 23 (#651)
NYT Strands on a cellphone
NYT Strands today — hints, spangram and answers for game #385 (Sunday, March 23 2025)
Nintendo Switch 2
Nintendo Switch 2 rumored specs — here’s what we know so far
iPhone 17 Pro render
iPhone 17 Pro — 7 biggest rumored upgrades
CAD renderings of the Google Pixel 10 Pro XL
Pixel 10 leak could be good news for all Android phones