The latest Android malware named 'FluHorse' has been discovered which targets Eastern Asian users with malicious apps that look like legitimate versions with over a million installs and are designed to steal personal data and spread malware.
Check Point Research suggests that these malicious apps collect sensitive information from your device, including your credentials and the code for your Two-Factor Authentication (2FA) service.
A person who falls for this trick is likely to give out sensitive personal details that could eventually be misused by criminals like passwords and banking details.
Several researchers have given the malware the name "FluHorse", reporting that it has been active for a year and its operators still run it. To spread malware, they sent phishing emails to "high-profile" targets informing them that there was a problem with payment and that they would need to download an app to solve the issue.
One of the most dangerous features of FluHorse is its ability to steal passwords and two-factor authentication codes from malware-infected devices. Additionally, according to Check Point's report on this campaign, most of the app impersonations have over one million installs.
The emails are used to distribute apps across the globe which include a Taiwanese app that collects tolls to help with traffic, VPBank Neo, a Vietnamese banking app, and an unnamed app that deals with transportation.
A legal version of each of the first two apps has been downloaded over one million times. In addition, the official version of the third app has been downloaded over one million times. In their study, the researchers found that the operators did not try to duplicate the legitimate apps exactly. Instead, they copied a few windows and mimicked the GUI of the legitimate apps. It is common for a malicious app to display a "system is busy" message to the victim as soon as they enter their account credentials and credit card details to buy time until the attackers can steal the data.
During the initial stages of phishing emails, high-profile entities such as government officials and other entities concerned with public safety were targeted in some cases.
It was also reported by Check Point that there was malware including an app used by 100,000 people cloned as a transportation app, but the name of the app was not revealed in the report.
In the case that two-factor authentication codes need to be intercepted and repurposed later for hijacking the accounts, all three fake apps request SMS access during installation.
To begin an attack using FluHorse, malicious email messages are sent to high-profile targets, urging them to resolve a payment issue as fast as possible.
In addition, the report stated that, upon installation, each of the three fake apps asked users to provide SMS access to intercept incoming 2FA codes. This is if such hacking was required.
A fake app mimics an original one, but it lacks any function other than loading a couple of windows and capturing the information from the victim's personal information through forms to be filled out.
The app will display the "system is busy" message for 10 minutes once it has captured the victim's account credentials and credit card details to simulate a real-life situation, while operators act in the background to intercept and use two-factor authentication codes.
In addition to its ability to remain undetected for long periods, one of the most concerning aspects of FluHorse is its ability to be a persistent and dangerous threat. FluHorse attacks begin with targeted and malicious emails sent to high-profile individuals to convince them to resolve a payment issue immediately, as a result of an alleged payment issue.