A new Android malware named "FluHorse" has been discovered, targeting users in East Asia with a malicious app that mimics a legitimate version. The FluHorse malware is distributed via email, while its purpose is to steal its target's account credentials and credit card data and if required, retrieve two-factor authentication (2FA) codes. The malware was discovered by Check Point Research, which reports that it has been targeting various sectors in East Asia since May 2022, it details its attacks against users located in East Asia East via malicious applications masquerading as ETC and VPBank Neo, which are popular in Taiwan and Vietnam. The initial intrusion vector for this malware was phishing.
FluHorse attacks begin
with a malicious email sent to high-profile targets, urging them to take
immediate action to resolve payment issues. Typically, victims are directed to
a phishing site via a link provided in the email, where they download a fake
app APK (Android package file). The main
purpose of the app is to steal credentials, credit card details, and two-factor
authentication (2FA) codes received as SMS to a remote server under the control
of the threat actor. On June 11, 2023, there was a recent finding from Fortinet
that reverse engineered the Fluhorse sample uploaded to VirusTotal.
The apps imitated by
the FluHorse carrier app were 'ETC,' a toll collection app used in Taiwan, and
'VPBank Neo,' a banking app in Vietnam. Both legitimate versions of these apps
have over a million downloads on Google Play. Check Point also observed malware
masquerading as a transportation app used by 100,000 people, but its name was
not disclosed in the report. All three fake apps requested SMS access upon
installation to intercept the incoming 2FA code in case it was needed to hijack
the account. After taking the victim's account credentials and credit card
details, the app displays a "system is busy" message for 10 minutes,
most likely to make the process seem realistic while the operator acts in the
background to intercept the 2FA code and utilize the stolen data.
CheckPoint said that
the malicious app was built in Dart, using the Flutter platform, and reverse
engineering and decompiling the malware was challenging. CheckPoint warns that
the FluHorse campaign is ongoing, with new infrastructure and malicious apps
appearing every month, so it's an active threat to Android users. Additionally
new Android malware distributed as an advertising SDK has been found in several
apps, many previously on Google Play and collectively downloaded over 400
million times. Security researchers at Dr. Web discovered a spyware module and
tracked it as 'SpinOk,' warning that it can steal personal data stored on
users' devices and send it to remote servers. The antivirus company said that SpinkOk
exhibits seemingly legitimate behavior, using minigames that lead to
"daily rewards" to attract users.
Web claims that this
SDK is found in 101 apps that have been downloaded a cumulative total of
421,290,300 times from Google Play, here are the most downloaded apps:
- Cashzine - Earn prize
money (10,000,000 downloads)
- Fizzo Novel - Offline
Reading (10,000,000 downloads)
- Biugo - video maker
& video editor (50,000,000 downloads)
- Crazy Drop
(10,000,000 downloads)
- VFly: video editor
& video maker (50,000,000 downloads)
- MVBit - MV video
status maker (50,000,000 downloads)
- Noizz: video editor
with music (100,000,000 downloads)
- Zapya - File
Transfer, Sharing (100,000,000 downloads; Dr. Web says that the trojan module
was present in version 6.3.3 to version 6.4 and is no longer present in the
current version 6.4.1)
- CashEM: Earn Rewards
(5,000,000 downloads)
- Tick: watch to earn
(5,000,000 downloads)
All but one of the
above apps have been removed from Google Play, indicating that Google receives
reports of malicious SDKs and removes the offending app until the developer
submits a clean version. If users are using any of the apps listed above, they
should update to the latest version available on Google Play. If the app is not
available on the official Android app store, it is recommended to uninstall it
immediately and scan your device with a mobile antivirus tool to ensure that
all remaining spyware has been removed. BleepingComputer has contacted Google
for a statement on this massive infection base, but no comment was available at
the time of publication.
0 Comments