New Android Banking Malware “VulturX” Spreads via Fake Productivity Apps on Google Play

A new and highly advanced Android banking malware variant dubbed VulturX has been discovered spreading through several fake productivity and document-scanning apps on the Google Play Store, compromising thousands of users worldwide before Google initiated removal. Security analysts report that VulturX is an evolution of the earlier Vultur malware family, now featuring enhanced screen-recording, keylogging, biometric bypass, and session hijacking capabilities that allow attackers to steal banking credentials, intercept multifactor authentication prompts, and take over mobile financial accounts in real time.

Unlike traditional banking trojans that rely heavily on overlays, VulturX abuses Android’s Accessibility Services and Remote Screen Streaming APIs to observe the device exactly as the user sees it, making detection extremely difficult for security tools. Researchers found that once installed, the malware secretly communicates with a command-and-control server through encrypted channels, enabling attackers to perform fraudulent transactions, modify account settings, and bypass bank security controls. The malicious apps were disguised as legitimate tools with high ratings and fake reviews, tricking users into believing they were safe to install. Threat intelligence teams warn that VulturX is part of a broader campaign targeting mobile banking customers in Europe, the Middle East, and Southeast Asia, with attackers using aggressive phishing SMS messages to lure victims to the infected apps. This incident highlights the growing sophistication of mobile banking threats and the ease with which attackers are infiltrating official app stores. Security experts urge users to review installed apps, disable unnecessary accessibility permissions, and enable Google Play Protect while banks are advised to strengthen behavioral fraud detection to mitigate ongoing attacks.