Vultur Banking Trojan Alert for Android Users in Finland

Android users in Finland are being cautioned against deceptive tactics involving antivirus brands used in banking scams. According to a recent warning by Finland’s National Cybersecurity Centre, cybercriminals are duping users into downloading a fake McAfee antivirus application. Unfortunately, this application is actually a trojan dropper named Brunhilda, part of the Vultur Android banking trojan (ABT) family. This scam has already resulted in significant financial losses, with one victim reporting a loss of 95,000 euros. Research conducted by VMX Labs found indicators that other anti-virus brands are also being misused in the wild, potentially targeting Finnish speakers.

The two samples we have do not look like the droppers listed by Fox-IT but we managed to obtain a screenshot from urlscan.io showing that one of those samples might be hosted in one of the below dropper distribution URLs on April 29th. In addition, our newly registered domain analysis indicates that “mcafee[.]786791[.]com” was resolved to the same malicious IP address. This is the dropper URL pattern of the Vultur ABT mentioned in the Fox-IT article.

The last sample we obtained (M-VIP.Protect.apk) is a Brunhilda dropper. It is confirmed by the YARA rule published in the Fox-IT article.

Malicious Android Applications