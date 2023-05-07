Several industries in East Asian markets have been hit by a new email phishing campaign distributing a previously undocumented strain of Android malware called FluHorsewhich abuses the Flutter software development framework.

FluHorse: What this Android malware does and how it leads to phishing

“The malware features several malicious Android applications that mimic legitimate applications, most of which have more than 1,000,000 installations“, has declared Check Point in a technical report. “These malicious applications steal victims’ credentials and two-factor authentication (2FA) codes“.

This malware, FluHorse, was found to lurk among malicious applications that mimic popular programs such as ETC and VPBank Neo, which are widely used in Taiwan and Vietnam. The evidence gathered so far shows that the activity has been active since at least May 2022.

The phishing scheme itself is quite simple: victims are lured by emails that contain links to a fake website hosting malicious APK files (well, a timeless classic). Checks are also added on the website that aim to screen the victims and only deliver the app if they string it User agent of their browser matches that of Android.

Once installed, the malware requests SMS permissions and prompts the user to enter their credentials and credit card information, all of which is then redirected to a remote server in the background while the victim is instructed to wait for several minutes.

The bad guys, the authors of FluHorse, also take advantage of their access to SMS messages to intercept all incoming two-factor authentication (2FA) codes and redirect them to the command and control server.

The Israeli cybersecurity firm also identified a dating app that redirected Chinese-speaking users to fraudulent landing pages designed to capture credit card information.

It appears that several high-profile organizations are among the recipients of these phishing emails, including government sector employees and large industrial companies, with new infrastructure and fraudulent applications appearing every month.

Interestingly, the malicious functionality is implemented with Flutteran open source UI software development kit that can be used to develop cross-platform apps from a single code base.

While these attackers are known to use a variety of tricks such as evasion techniques, obfuscation, and long waits before execution to resist analysis and bypass virtual environments, the use of Flutter marks a new level of sophistication.

“The malware development team didn’t put much effort into programming but relied on Flutter as their development platform“concluded the researchers.

“This approach has allowed them to create dangerous and mostly undetectable malicious applications. One benefit of using Flutter is that its difficult-to-parse nature makes many security solutions work simultaneously [completamente] useless“.

How to defend yourself if FluHorse arrives in the West?

For starters: do not open links from strange emails, nor download strange APK files.

It may seem obvious, but evidently so obvious it is not, otherwise many people wouldn’t fall for the internet’s oldest trap.

Frankly there isn’t much to say beyond that if not the classic advice to use strong passwords, possibly two-factor authentication and maybe a different email that only you know for certain services.

After all, as an old computer adage says “problems are between keyboard and chair” (the problems are between the chair and the keyboard), nowadays with smartphones it should be updated with “problems are between fingers and screen” (the problems are between the fingers and the screen).

Malware is unforgiving and FluHorse is no exception.