Search This Blog

Powered by Blogger.

Blog Archive

Labels

This New Android FluHorse Malware Steals Passwords & 2FA Codes

FluHorse attacks begin with malicious emails sent to high-profile targets, urging them to take immediate action to resolve a payment issue.

 

A new Android malware known as 'FluHorse' has been uncovered, which targets users in Eastern Asia with fake applications that seem like legitimate versions. Check Point Research uncovered the malware, which has been targeting various regions of Eastern Asia since May 2022.

The FluHorse malware is delivered via email, and its purpose is to steal the target's account credentials and credit card details, as well as two-factor authentication (2FA) codes if necessary. Malicious emails are sent to high-profile targets, encouraging them to take fast action to remedy a payment issue.

Typically, the victim is directed to a phishing site via a link in the email, from which they download the bogus program APK (Android package file). The FluHorse carrier apps resemble 'ETC,' a Taiwanese toll-collection software, and 'VPBank Neo,' a Vietnamese banking app. On Google Play, both authorized versions of these apps have over a million downloads.

Check Point also discovered malware masquerading as transit software used by 100,000 people, although the name of the virus was not provided in the study.
Upon installation, all three bogus apps request SMS access in order to intercept incoming 2FA codes in case they are required to hijack the accounts.

According to the analysts, the fake apps mimic the originals' user interfaces but lack functionality beyond two to three windows that load forms that harvest the victim's information. As per CheckPoint, the malicious apps were written in Dart and used the Flutter platform, making reverse engineering and decompiling the virus difficult. The study was so difficult that CheckPoint ended up improving existing open-source tools like 'flutter-re-demo' and'reFlutter.'

"Flutter runtime for ARM uses its own stack pointer register (R15) instead of the built-in stack pointer (SP),"  reads Check Point's report.

"Which register is used as a stack pointer makes no difference in code execution or in the reverse-engineering process. However, it makes a big difference for the decompiler. Because of a non-standard register usage, a wrong and ugly pseudocode is generated."

Finally, the functionalities responsible for exfiltrating victims' credentials, credit card data, and the HTTP POST communication that transmitted the intercepted SMS messages to the C2 server were discovered. CheckPoint says that the FluHorse campaign is still active, with new infrastructure and malicious apps emerging every month, making this a live threat for Android users.
Share it:

Android

Data

malware

Safety

Security

Spyware