FluHorse: A Dangerous Android Malware Threatening Users in East Asia

A new Android malware named "FluHorse" has been discovered, targeting users in East Asia with a malicious app that mimics a legitimate version

 A new Android malware named "FluHorse" has been discovered, targeting users in East Asia with a malicious app that mimics a legitimate version. The FluHorse malware is distributed via email, while its purpose is to steal its target's account credentials and credit card data and if required, retrieve two-factor authentication (2FA) codes. The malware was discovered by Check Point Research, which reports that it has been targeting various sectors in East Asia since May 2022, it details its attacks against users located in East Asia East via malicious applications masquerading as ETC and VPBank Neo, which are popular in Taiwan and Vietnam. The initial intrusion vector for this malware was phishing.

FluHorse attacks begin with a malicious email sent to high-profile targets, urging them to take immediate action to resolve payment issues. Typically, victims are directed to a phishing site via a link provided in the email, where they download a fake app APK (Android package file).  The main purpose of the app is to steal credentials, credit card details, and two-factor authentication (2FA) codes received as SMS to a remote server under the control of the threat actor. On June 11, 2023, there was a recent finding from Fortinet that reverse engineered the Fluhorse sample uploaded to VirusTotal.

The apps imitated by the FluHorse carrier app were 'ETC,' a toll collection app used in Taiwan, and 'VPBank Neo,' a banking app in Vietnam. Both legitimate versions of these apps have over a million downloads on Google Play. Check Point also observed malware masquerading as a transportation app used by 100,000 people, but its name was not disclosed in the report. All three fake apps requested SMS access upon installation to intercept the incoming 2FA code in case it was needed to hijack the account. After taking the victim's account credentials and credit card details, the app displays a "system is busy" message for 10 minutes, most likely to make the process seem realistic while the operator acts in the background to intercept the 2FA code and utilize the stolen data.

CheckPoint said that the malicious app was built in Dart, using the Flutter platform, and reverse engineering and decompiling the malware was challenging. CheckPoint warns that the FluHorse campaign is ongoing, with new infrastructure and malicious apps appearing every month, so it's an active threat to Android users. Additionally new Android malware distributed as an advertising SDK has been found in several apps, many previously on Google Play and collectively downloaded over 400 million times. Security researchers at Dr. Web discovered a spyware module and tracked it as 'SpinOk,' warning that it can steal personal data stored on users' devices and send it to remote servers. The antivirus company said that SpinkOk exhibits seemingly legitimate behavior, using minigames that lead to "daily rewards" to attract users.

Web claims that this SDK is found in 101 apps that have been downloaded a cumulative total of 421,290,300 times from Google Play, here are the most downloaded apps:

- Cashzine - Earn prize money (10,000,000 downloads)

- Fizzo Novel - Offline Reading (10,000,000 downloads)

- Biugo - video maker & video editor (50,000,000 downloads)

- Crazy Drop (10,000,000 downloads)

- VFly: video editor & video maker (50,000,000 downloads)

- MVBit - MV video status maker (50,000,000 downloads)

- Noizz: video editor with music (100,000,000 downloads)

- Zapya - File Transfer, Sharing (100,000,000 downloads; Dr. Web says that the trojan module was present in version 6.3.3 to version 6.4 and is no longer present in the current version 6.4.1)

- CashEM: Earn Rewards (5,000,000 downloads)

- Tick: watch to earn (5,000,000 downloads)

All but one of the above apps have been removed from Google Play, indicating that Google receives reports of malicious SDKs and removes the offending app until the developer submits a clean version. If users are using any of the apps listed above, they should update to the latest version available on Google Play. If the app is not available on the official Android app store, it is recommended to uninstall it immediately and scan your device with a mobile antivirus tool to ensure that all remaining spyware has been removed. BleepingComputer has contacted Google for a statement on this massive infection base, but no comment was available at the time of publication.