Cybersecurity researchers have shared how an Android malware family called Fluhorse.
The malware “represents a significant change as it incorporates malicious components directly within the Flutter code,” Fortinet FortiGuard Labs researcher Axelle Apvrille said in a report published last week.
Fluhorse was first documented by Check Point in early May 2023, detailing its attacks on users located in East Asia via malicious apps masquerading as ETC and VPBank Neo, which are popular in Taiwan and Vietnam. The initial intrusion vector for malware is phishing.
The ultimate goal of these applications is to steal credentials, credit card details, and two-factor authentication (2FA) codes received as SMS to a remote server under the control of a threat actor.
The latest findings from Fortinet, which re-engineered a Fluorse sample uploaded to VirusTotal on June 11, 2023, indicating that the malware has evolved, incorporating additional sophistication with hiding encrypted payloads in packers.
“Decryption is done at the native level (to harden the reverse engineering) using the OpenSSL EVP cryptographic API,” explains Apvrille. The encryption algorithm is AES-128-CBC, and the implementation uses the same hard coded strings for the key and initialization vector (IV).”
The decrypted payload, the ZIP file, contains the Dalvik executable file (.dex), which is then installed on the device to listen for incoming SMS messages and extract them to a remote server.
“Static reversing of Flutter apps is a breakthrough for anti-virus researchers, as, unfortunately, more malicious Flutter apps are expected to be released in the future,” said Apvrille.