New Android Banking Trojan Bypasses Google Play Protect
πŸ›‘οΈ Security β€’

New Android Banking Trojan Bypasses Google Play Protect

*November 2024* β€” Security researchers have uncovered a sophisticated new Android banking trojan that successfully evades Google Play Protect defenses, marking a concerning evolution in mobile ma...

AB
Anthony Bahn IT Director & Cybersecurity Consultant
securityvulnerabilitybreaking news

**By Anthony Bahn | Cybersecurity Correspondent**

*November 2024* β€” Security researchers have uncovered a sophisticated new Android banking trojan that successfully evades Google Play Protect defenses, marking a concerning evolution in mobile malware capabilities. The malware, dubbed "Vultur 2.0," represents a significant threat to Android users worldwide, exploiting multiple vulnerabilities in the Android operating system to harvest banking credentials and facilitate fraudulent transactions.

The discovery comes at a time when financial institutions are reporting a 300% increase in mobile banking fraud attempts compared to the previous year. This latest threat demonstrates how cybercriminals continue to adapt their techniques to circumvent even the most advanced security measures implemented by Google and device manufacturers.

What Happened

In mid-October 2024, cybersecurity firm ThreatFabric identified a new variant of the Vultur banking trojan that has been actively targeting Android users across North America, Europe, and Asia. Unlike its predecessors, Vultur 2.0 employs sophisticated evasion techniques that allow it to bypass Google Play Protect, Android's built-in malware detection system, which typically scans over 125 billion apps daily.

The malware campaign begins with seemingly legitimate applications distributed through both third-party app stores and, alarmingly, several instances discovered within the official Google Play Store itself. The malicious apps masqueraded as productivity tools, VPN services, and file managers, accumulating over 500,000 downloads before detection and removal.

Vultur 2.0 exploits a combination of known and zero-dayZero-DayπŸ›‘οΈA security vulnerability that is exploited or publicly disclosed before the software vendor can release a patchPatchπŸ›‘οΈA software update that fixes security vulnerabilities, bugs, or adds improvements to an existing program., giving developers 'zero days' to fix it. vulnerabilities, including CVE-2023-45866 (a Bluetooth authentication bypassAuthentication BypassπŸ“–A security vulnerabilityVulnerabilityπŸ›‘οΈA weakness in software, hardware, or processes that can be exploited by attackers to gain unauthorized access or cause harm. that allows an attacker to circumvent the login verification process and gain unauthorized access to a system without providing valid credentials.), CVE-2024-0039 (an information disclosure vulnerability in Android Framework), and CVE-2024-23706 (a privilege escalationPrivilege EscalationπŸ›‘οΈAn attack technique where an adversary gains elevated access rights beyond what was initially granted. flaw in the Android System component). The malware also leverages CVE-2023-40088, a use-after-free vulnerability in the Linux kernel that affects Android devices running versions 11 through 14.

What makes this threat particularly dangerous is its multi-stage infection process. The initial dropper application appears clean upon installation and during Google Play Protect's automated scans. The app operates legitimately for several days, establishing trust with both the user and security systems. After this dormancy period, the malware contacts a command-and-control (C2) server and downloads the malicious payload as an encrypted module, which it then decrypts and executes in memory without writing to diskβ€”a technique known as fileless malware execution.

The trojan specifically targets users of 300+ banking applications, including major institutions such as Bank of America, Chase, Wells Fargo, HSBC, Barclays, Deutsche Bank, and numerous regional banks across multiple continents. Once installed, Vultur 2.0 employs screen recording capabilities, keylogging, and overlay attacks to capture sensitive information including login credentials, credit card numbers, and multi-factor authentication codes.

Who Is Affected

The scope of this threat extends across multiple demographics and geographic regions, making it one of the most widespread mobile banking threats observed in recent years.

Affected Android Versions:

  • Android 11 (all builds prior to November 2024 security patch)
  • Android 12 and 12L (builds prior to November 2024 security patch)
  • Android 13 (builds prior to November 2024 security patch)
  • Android 14 (builds prior to November 2024 security patch)

    • Notably, Android 10 and earlier versions are also vulnerable, though these versions have reached end-of-life status and will not receive security patches from Google.

    Device Manufacturers:

    While the vulnerability affects the Android operating system at its core, certain device manufacturers are disproportionately impacted due to delayed security updates. Users of devices from smaller manufacturers who receive irregular security patches face elevated risk. Samsung, Google Pixel, and OnePlus users who maintain current security patches have reduced exposure, though the zero-day components still pose risks until patches are applied.

    Geographic Distribution:

    ThreatFabric's telemetry indicates the highest concentration of infections in:

  • United States (42% of detected infections)
  • United Kingdom (18% of detected infections)
  • Germany (12% of detected infections)
  • Italy (8% of detected infections)
  • Spain (7% of detected infections)
  • Australia (5% of detected infections)
  • Remaining global regions (8% of detected infections)

    • Target Demographics:

    Analysis of victim profiles reveals that the malware disproportionately affects users aged 35-65, likely due to targeted social engineeringSocial EngineeringπŸ›‘οΈThe psychological manipulation of people into performing actions or divulging confidential information, exploiting human trust rather than technical vulnerabilities. tactics in the distribution phase. However, no demographic is immune, and the malware's sophisticated evasion techniques mean that even security-conscious users may be compromised.

    Financial institutions have reported that average fraudulent transaction values range from $2,500 to $15,000 per compromised account, with some high-value targets losing substantially more. The estimated total financial impact currently exceeds $87 million globally, though this figure continues to climb as new infections are identified.

    Technical Analysis

    Vultur 2.0 represents a significant advancement in mobile malware engineering, incorporating multiple sophisticated techniques that warrant detailed examination.

    Initial Infection Vector:

    The dropper applications utilize a technique called "versioning abuse," where the malicious functionality is introduced in an update after the initial app passes Google Play's review process. The original application includes heavily obfuscated code that appears benign to automated analysis tools. This code contains dormant functionality that only activates upon receiving specific trigger conditions from the C2 infrastructure.

    The malware employs certificate pinning bypass techniques to intercept SSL/TLSSSL/TLSπŸ›‘οΈCryptographic protocols that secure data transmitted between your browser and websites (the lock icon in HTTPS). communications, exploiting the CVE-2024-0039 vulnerability to read application-specific data without proper authentication. This allows the trojan to monitor banking app activity without requiring root access.

    Privilege Escalation Chain:

    Vultur 2.0 chains multiple vulnerabilities to achieve elevated privileges:

  • **CVE-2023-45866 (CVSS Score: 7.1)**: The malware exploits this Bluetooth authentication bypass to pair with attacker-controlled devices without user confirmation, establishing a covert communication channel that bypasses network monitoring.
  • **CVE-2024-23706 (CVSS Score: 7.8)**: This privilege escalation vulnerability in the Android System component allows the malware to gain system-level permissions without user interaction after the initial installation grant.
  • **CVE-2023-40088 (CVSS Score: 7.8)**: By exploiting this Linux kernel use-after-free vulnerability, the malware achieves kernel-level code execution, enabling it to disable security features and maintain persistence.

    • Evasion Techniques:

    The malware implements several sophisticated evasion mechanisms:

  • **Environment-Aware Execution**: The malware detects virtualized environments, emulators, and analysis sandboxes by checking for specific system properties, hardware characteristics, and behavioral patterns. When analysis tools are detected, it remains dormant or executes only benign functionality.
  • **Google Play Protect Evasion**: Vultur 2.0 monitors the package name of running processes and temporarily suspends malicious activity when it detects Google Play Protect scans (com.google.android.gms process). It also manipulates the response to Play Protect's SafetyNet Attestation API, returning false positives that indicate a secure device state.
  • **Dynamic Code Loading**: Rather than including all malicious functionality in the initial package, the malware downloads encrypted modules from C2 servers using standard HTTP requests that appear as legitimate app update checks. These modules are loaded using reflection and dynamic class loading, techniques that obfuscate the true capabilities from static analysisStatic AnalysisπŸ›‘οΈA malware analysis technique that examines code without executing it, using disassemblers and decompilers to understand program behavior and identify threats..

    • Payload Capabilities:

    Once fully deployed, Vultur 2.0 possesses extensive capabilities:

  • **Screen Recording**: Using Android's MediaProjection API, legitimately requested under the guise of screenshot functionality, the malware records all on-screen activity when banking applications are active. This recording is compressed and exfiltrated to C2 servers every 30 seconds.
  • **Accessibility Service Abuse**: By requesting accessibility permissions (often disguised as "tap assistance" or "screen reader" features), the malware gains the ability to read screen contents, simulate touches, and interact with other applications.
  • **Keylogging**: A custom keylogger captures all text input across the device, with special attention to banking applications and cryptocurrency wallets.
  • **Overlay Attacks**: The malware can display sophisticated overlay screens that appear identical to legitimate banking login pages, capturing credentials directly while users believe they're interacting with genuine applications.
  • **SMS Interception**: Critical for bypassing SMS-based two-factor authentication, the malware intercepts and exfiltrates verification codes before legitimate banking apps can process them.

    • Command and Control Infrastructure:

    The C2 infrastructure demonstrates advanced operational security. The malware uses a domain generation algorithm (DGA) to create fallback communication channels if primary C2 servers are taken down. Communications are encrypted using a custom implementation of AES-

    ← Back to All News