FluHorse Mobile Malware

A new email phishing campaign targeting East Asian regions aims to distribute a new strain of Android malware known as FluHorse. This particular mobile malware takes advantage of the Flutter software development framework to infect Android devices.

The malware spread through several unsafe Android applications that mimic legitimate applications. Many of these harmful items have already reached over 1,000,000 installs, which makes them particularly threatening. When users download and install these applications, they unknowingly give the malware access to their credentials and Two-Factor Authentication (2FA) codes.

The FluHorse applications are designed to appear similar or outright imitate popular apps in the targeted regions, such as ETC and VPBank Neo, which are widely used in Taiwan and Vietnam. Evidence shows that this activity has been active since at least May 2022. Details about FluHorse Android malware and its associated activity were revealed in a report by Check Point.

FluHorse Tricks Victims with Phishing Tactics

The phishing scheme utilized in the infection chain of FluHorse is quite straightforward - attackers lure victims by sending them scam emails containing links to a dedicated website that hosts unsafe APK files. These websites also contain checks that screen victims, only delivering the threatening application if the visitor's browser User-Agent string matches that of Android. The phishing emails have been sent to a range of high-profile organizations, including employees of government agencies and large industrial companies.

Once the application is installed, the malware requests SMS permissions and urges the users to input their credentials and credit card information. This information is then exfiltrated to a remote server while the victim is forced to wait for several minutes.

To make matters worse, the threat actors can abuse their access to SMS messages to intercept all incoming 2FA codes and redirect them to the Command-and-Control (C2, C&C) server of the operation. This allows the attackers to bypass security measures that rely on 2FA to protect user accounts.

In addition to the phishing attack, a dating app was also identified. It was observed redirecting Chinese-speaking users to rogue landing pages designed to capture their credit card information. This further highlights the danger posed by these attacks and the importance of remaining vigilant and taking appropriate precautions to protect oneself from cyber threats.

The FluHorse Android Malware is Difficult to Detect

What is interesting about this particular malware is that it is implemented using Flutter, an open-source UI software development kit that makeit possible for developers to create cross-platform applications from a single codebase. This is a noteworthy development as threat actors often use tactics such as evasion techniques, obfuscation, and delayed execution to avoid detection by virtual environments and analysis tools.

However, using Flutter to create malware represents a new level of sophistication. The researchers have concluded that the malware developers did not spend much time on programming but instead relied on the Flutter platform's innate characteristics. This allowed them to create a dangerous and largely undetected threatening application.