Various sectors in the East Asian market have been targeted by a new email phishing campaign that is distributing a previously undocumented type of Android malware called FluHorse that abuses the Flutter software development framework.
“The malware features multiple malicious Android apps that mimic official apps, most of which have over 1,000,000 installs,” Check Point said in technical reports. “This malicious app steals victims’ credentials and two-factor authentication (2FA) codes.”
The rogue app has been found to mimic apps such as ETC and VPBank Neo, which are used in Taiwan and Vietnam. Evidence gathered so far suggests that the activity has been active since at least May 2022.
The phishing scheme itself is quite straightforward, in which victims are lured in with emails containing links to bogus websites hosting malicious APK files. Also added to the website is a check that aims to screen victims and submit applications only if their browser is User-Agent String compatible with Android.
Once installed, the malware requests SMS permissions and prompts users to enter their credentials and credit card information, all of which is then exfiltrated to a remote server in the background while the victim is asked to wait a few minutes.
Threat actors also abuse their access to SMS messages to intercept all incoming 2FA codes and redirect them to a command-and-control server.
The Israeli cybersecurity firm said it also identified a dating app that redirected Chinese-speaking users to rogue landing pages designed to capture credit card information.
Interestingly, the nasty function is implemented with poundingan open source UI software development kit that can be used to develop cross-platform applications from a single code base.
While threat actors are known to use various tricks such as evasion techniques, camouflage, and long delays before execution to resist analysis and circumvent virtual environments, the use of Flutter marks a new level of sophistication.
“The malware developers didn’t put much effort into programming, instead relying on Flutter as a development platform,” the researchers concluded.
“This approach allowed them to build malicious applications that went largely undetected. One of the advantages of using Flutter is that its difficult-to-analyze nature makes many contemporary security solutions worthless.”