FluHorse Android Malware: A New Cybersecurity Threat Exploiting Flutter Framework

CryptoMode Android Play-to-earn Blockchain Games Free-to-play Fluhorse

East Asian markets are currently facing a surge in a sophisticated email phishing campaign to distribute a new and previously undocumented strain of Android malware, dubbed FluHorse. This malware leverages the Flutter software development framework, making it particularly challenging for cybersecurity experts to analyze and combat.

FluHorse Malware Mimics Legitimate Applications

According to a technical report by Check Point, the FluHorse malware consists of several malicious Android applications that impersonate legitimate apps, some of which have been installed over a million times. By masquerading as authentic applications, these malicious apps succeed in stealing victims’ credentials and two-factor authentication (2FA) codes.

Popular apps such as ETC and VPBank Neo, extensively used in Taiwan and Vietnam, are imitated by malicious apps. Based on the evidence collected so far, the phishing campaign has been active since at least May 2022.

Phishing Scheme: Exploiting Email Links and Bogus Websites

Check out our weekly crypto and fintech newsletter here! Follow CryptoMode on Twitter, Youtube and TikTok for news updates!

The FluHorse phishing campaign operates using a simple yet effective strategy. Victims are targeted with emails containing links directing them to a fake website hosting malicious APK files. The website also incorporates checks that aim to filter victims and deliver the app only if the browser User-Agent string corresponds to Android.

Upon installation, the malware seeks SMS permissions and asks users to enter their credentials and credit card information. While the victims wait, their data is secretly transmitted to a remote server in the background.

SMS Access Abused to Intercept 2FA Codes

Cybercriminals behind the FluHorse malware exploit their access to SMS messages to intercept and redirect all incoming 2FA codes to their command-and-control server. Israeli cybersecurity firm Check Point has also discovered a dating app that redirects Chinese-speaking users to fraudulent landing pages designed to capture credit card information.

These phishing emails have reportedly targeted high-profile organizations, including government sector employees and large industrial companies. In addition, new infrastructure and counterfeit applications emerge every month, exacerbating the issue.

The Role of Flutter in the Malware’s Sophistication

In a notable development, the FluHorse malware utilizes Flutter, an open-source UI software development kit that allows for the creation of cross-platform apps from a single codebase. Although cybercriminals have been known to employ various tricks such as evasion techniques, obfuscation, and long delays before execution to bypass analysis and virtual environments, the use of Flutter signifies a heightened level of sophistication.

Check Point’s researchers concluded that the malware developers relied heavily on the Flutter development platform, which enabled them to create dangerous and mostly undetected malicious applications. In addition, the inherent complexity of analyzing Flutter-based apps renders many contemporary security solutions ineffective.

None of the information on this website is investment or financial advice. CryptoMode is not responsible for any financial losses sustained by acting on information provided on this website.