Malware typically mimics mobile antivirus applications to trick users into installing the mimicked AV app, which claims to provide trust and secure devices for users.
Malware could easily go unnoticed and get a first grip on the device by cloning reputable anti-virus brands.
This approach is designed to take advantage of users’ confidence in their trusted application names and sense of security to introduce malicious payloads masquerading as device protection software.
Recently, cybersecurity researchers at Broadcom identified that threat actors had launched Vultur malware campaigns that involved distributing a malicious payload disguised as a legitimate mobile antivirus app from a well-known security company with a file named “<company name>_Security.apk”.
ANYRUN malware sandbox’s 8th Birthday Special Offer: Grab 6 Months of Free Service
Vultur Malware Mimic As Mobile Antivirus
This Android banking trojan uses an overlay attack vector where it generates fake user interface windows that overlay real bank apps without being seen.
This consequently leads to the phishing victims unknowingly giving their confidential login information to the malicious overlays.
Besides this, the malware is capable of compromising login credentials from hundreds of financial institutions, including conventional banks and popular cryptocurrency exchange platforms.
So, this poses a significant threat to both fiat money and digital asset holdings, Symantec said.
While the originating infection vector remains unconfirmed, the malicious application resides in a domain controlled by threat actors.
However, it suggests a concentrated effort to distribute the malware and infect the users’ devices.
Evidence strongly suggests that threat actors are actively employing deceptive tactics, such as malicious SMS messages or website redirections, to entice victims into installing the malicious application unknowingly.
This security feature in the product reviews SMS messages and blocks phishing attempts by verifying whether a URL is known to WebPulse threat intelligence in GIN.
It will generate warnings for suspicious links, including the domain name used to distribute this malware already known by “WebPulse.”
All WebPulse-powered products accommodate those malicious IPs and domains under respective security categories, ensuring full coverage against online threats.
Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers