HQ/EMEAFind out how we can help your business
Researchers discovered a new flutter-hidden app and variants that distribute malware under a cyberattack attack called the MoneyMonger campaign. The campaign operators use malicious lending applications to threaten and blackmail targeted victims into paying unreasonable amounts.
The MoneyMonger campaign threat actors regularly update and develop their apps to bypass security detection. The group’s malicious applications heavily rely on geo-specific targeting.
According to a researcher, one of the group’s malicious apps exclusively targets Indian citizens, while another variant targets residents of Peru. The adversaries hide their malicious application’s built-in code with the Flutter infrastructure and include XOR encryption to bypass standard Android malware detection.
Currently, the compromised apps from the group still need to be offered on the Google Play Store. Hence, the actor’s primary vector for distribution is third-party app stores.
The MoneyMonger campaign utilises a chain of social engineering tactics.
An analyst explained that the MoneyMonger campaign operators are using several layers of social engineering tactics to spread their malicious applications that offer loans by following a few easy steps.
Subsequently, the attackers could deceive their target into acquiring local permissions within its device, which allows them to leak private data. Some of the sample data stolen by the actors are contacts, SMSs, photos, recordings, call logs, storage data, and GPS location information.
Therefore, the campaign operators could blackmail their targets by threatening to reveal information, call people from the contact list, and distribute stolen pictures from the device.
This malicious campaign is a part of an enormous loan scam, which researchers initially discovered in May. During that time, the researchers identified a malicious application called Cash Advance, available in Google Play Store.
Upon installation, the app requests a list of privileges and harvests all SMS details, access camera, installed applications, IP address, and storage. Like the current campaign, the attack threatens its target to collect a contact list and even upload information to the operator’s leak site.
Threat groups have continuously run social engineering campaigns and other methods to deceive users into downloading malicious apps. Cybersecurity experts urge users to read reviews regarding the app before downloading it. It is always better to avoid downloading applications from untrusted or third-party sources.
