The “ghost tapping” phone theft scam, also known as the Vultur banking Trojan, represents the latest evolution in sophisticated Android malware targeting mobile banking users. The attack builds upon previous Android security threats by combining social engineering tactics with advanced malware deployment techniques that exploit weaknesses in Android’s credential management systems.
The attack sequence begins with a phone call and two SMS messages. The initial message deceives victims by claiming unauthorized transactions have occurred, prompting them to call a specific number. During the subsequent call, victims are instructed to install what appears to be McAfee Security software through a provided link. While the app mimics legitimate security software, it actually contains the Brunhilda dropper malware.
Once installed, the Brunhilda dropper decrypts and executes three Vultur-related payloads. These grant attackers comprehensive access to the victim’s device, enabling capabilities such as keylogging and screen recording. The malware uses Android’s accessibility services for remote device control and can perform various malicious operations including file manipulation, app blocking, and custom notification display.
Technical characteristics of the malware include AES data encryption and Base64 text encoding for command-and-control communication, native code written primarily in C and C++ for payload decryption, and screen-streaming capabilities targeting mobile banking applications. The sophisticated approach to targeting banking credentials comes as financial institutions worldwide are strengthening their security measures, with some regions like Thailand mandating biometric authentication for mobile banking.
Security experts recommend multiple protective measures, including regular password changes, consistent transaction monitoring, and the use of identity theft protection services. In the event of infection, users should notify their financial institutions, alert contacts about potential phishing attempts, and consider performing a factory reset after backing up essential data.
D. Sivanandhan, former Mumbai police commissioner, notes that the scam misrepresents the legal process, as the National Crime Records Bureau does not impose fines without proper legal procedures.
Prevention remains the most effective defense. Users should independently verify any claims about unauthorized transactions by contacting their financial institutions directly through official channels, rather than responding to unexpected messages or calls. The practice becomes increasingly important as cybercriminals continue to develop more sophisticated methods of bypassing traditional security measures.
Sources: Cyberpeace Foundation, NSO Security Team News, Wikipedia, Mysterium VPN
Follow Us