Criminals are currently abusing the McAfee brand name to spread malware on Android. They gain access to all files on your Android phone through the malware.
Security researchers from the renowned Fox-IT describe the rise of the so-called Vultur malware. Vultur was first distributed on Android phones in 2021. Since then, the malware has evolved considerably, as the researchers describe in a blog post. It is now possible to download, upload, delete and search files. Another new feature is that hackers can control infected devices via Android Accessibility Services. This means that actions such as swiping and scrolling can be performed via commands.
Fake version of McAfee Security
Developers rely on unsuspecting users to spread the malware. They are tricked via an SMS campaign into installing a fake version of McAfee Security. These text messages inform the victims that a payment was made that was not entirely correct. To solve that, one must call a telephone number of the attackers. They are then told that installing the McAfee Security app should solve all problems.
Since McAfee is a well-known name for many users, they fall for it. What they don’t know is that they are actually installing malware on their smartphone. The malware itself consists of three parts, each with their own purpose.
- Package 1: provides access to Android Accessibility Services.
- Package 2: gives the attackers access to the phone (remotely), including access to features such as screen recording.
- Package 3: initiates communication with the Command-and-Control server (C2) and activates all FCM commands.
Once the process is complete, the criminals will have full access to your system. You will hardly notice this yourself: all processes are performed in the background. This allows the hacker to watch unnoticed when, for example, you execute payment orders through your bank. They can then intercept and misuse that data. This attack can actually cost you money.
Apps outside the Play Store
Users can protect themselves against this attack relatively easily. To carry out the attack, you must install an app that is not in the Google Play Store. The attacker sends you the malicious McAfee app via a separate APK installation file. At that moment, alarm bells should immediately go off: unless you know the developer, it is not recommended to install apps that are not in the Play Store.
There are also plenty of virus scanners in the Play Store; including McAfee’s. In short: if you are concerned about a potential threat, you can always search for a virus scanner in Google’s app store.
