Some cybersecurity researchers have shared the inner workings of a family of Android malware called Fluhorse, something has already been said about the Fortnite case before.
Fluhorse, what changes compared to the Fortinet case
The malware”represents a significant evolution as it directly embeds malicious components into Flutter code“, has declared Axelle Apvrille, researcher at Fortinet FortiGuard Labs, in a report released last week.
Fluhorse was documented first by Check Point in early May 2023, describing its attacks on East Asian users via fraudulent apps posing as ETC and VPBank Neo, which are very popular in Taiwan and Vietnam.
The initial intrusion attack vector for malware is the phishing (data theft by deception).
The ultimate goal of the app is to steal credentials, credit card details and two-factor authentication (2FA) codes received via SMS to a remote server controlled by hackers.
Fortinet’s latest findings, which decrypted a Fluhorse sample uploaded to VirusTotal on June 11, 2023, they suggest that the malware has evolved, incorporating further sophistication by hiding the encrypted payload in a packer.
“Decryption is done natively (to make reverse engineering more difficult) using OpenSSL’s EVP cryptographic API“Apvrille explained. The encryption algorithm used is AES-128-CBC and its implementation uses the same key-encrypted string and initialization vector (IV).
The decrypted payload, a ZIP file, contains within it a Dalvik executable file (.dex), which is then installed on the device to listen to incoming SMS messages and exfiltrate them to the remote server.
“Statically decoding Flutter applications is a breakthrough for antivirus researchers, as more malicious Flutter apps are unfortunately expected to be released in the future“, concluded Apvrille.
#Fluhorse #returns #time #Android #operating #systems