HQ/EMEAFind out how we can help your business
Threat actors have deployed the new FluHorse malware in a recent email phishing campaign that targets various sectors in East Asian markets. This new Android malware exploits the Flutter software development framework in its infection chain.
Based on reports, the malware could come from several malicious Android apps that impersonate legitimate applications, most of which have garnered millions of downloads. These compromised Android apps could steal an infected target’s credentials and intercept two-factor authentication (2FA) codes.
Some confirmed apps the campaign spoofs are ETC, VPBank, and Neo, which are prevalent among Taiwanese and Vietnamese users. New evidence showed that the phishing activity that uses the FluHorse has been active since at least May of last year.
The phishing campaign that employs the FluHorse malware uses a common phishing tactic.
The FluHorse malware operators lure its targets with emails that include links to a compromised website that hosts malicious APK files. These websites also contain checks that enable the campaign to assess victims and deliver the app only if their search engine has User-Agent string matches for Android.
Subsequently, the malware requests SMS permissions and commands the user to provide their credentials and credit card info after the app’s successful installation. The campaign will then exfiltrate the provided credentials to a server in the background while the attack prompts the victim to wait several minutes.
The threat actors could also exploit their access to SMS messages to intercept incoming 2FA authentication codes and redirect them to an attacker-controlled server.
An Israeli cybersecurity company recently identified a dating app redirecting Chinese users to malicious landing pages that could harvest credit card information. The sketchy features within the app contained Flutter, an open-source UI software development kit that could develop cross-platform applications from a single codebase.
These new malware strains indicate the effort of threat actors to develop new weapons that could evade detections, obfuscate malware, and establish persistence that could avoid threat analysis. However, some malware developers did not put much effort into programming since they rely on Flutter as a malware-developing platform.
