Fluhorse: A Sophisticated Android Malware Targeting Credit Cards and 2FA Codes through Flutter-Based Apps
In recent times, cybersecurity researchers have uncovered a new and sophisticated Android malware called Fluhorse. This malware stands out due to its innovative approach of embedding malicious components directly into Flutter-based code. Flutter, an open-source UI toolkit developed by Google, enables developers to create interactive and feature-rich mobile applications across various platforms using a single codebase.
The Unique Characteristics of Fluhorse: Fluhorse has gained attention for its ability to camouflage itself within legitimate-looking apps, making it challenging for users to detect its presence. Its primary objective is to pilfer sensitive information, including user credentials, credit card details, and two-factor authentication (2FA) codes received via SMS.
Initially detected in early May 2023, Fluhorse primarily targets users in East Asia by masquerading as popular applications like ETC and VPBank Neo. By assuming the guise of trusted apps, Fluhorse maximizes its chances of infecting devices. The malware predominantly spreads through phishing attacks, underscoring the importance of user awareness and caution while interacting with online content.
A Noteworthy Encryption Technique and Vulnerability:
Fluhorse employs OpenSSL's EVP cryptographic API for encryption and decryption, making it resistant to reverse engineering attempts. The malware encrypts its payload using the AES-128-CBC encryption algorithm. However, its susceptibility to decryption lies in the utilization of a hard-coded string for the key and initialization vector (IV). Security researchers can potentially exploit this vulnerability to decrypt the payload.
Unveiling the Payload and its Functionality: Once decrypted, the payload is revealed as a ZIP file containing a Dalvik executable (.dex) file. The Dalvik executable, commonly employed in Android applications, is installed on infected devices. In the case of Fluhorse, this executable listens to incoming SMS messages and forwards them to a remote server under the control of threat actors.
The Implications and Future Concerns:
The ability to reverse engineer Flutter applications marks a significant breakthrough for antivirus researchers. However, it also raises concerns regarding the potential rise of more malicious Flutter apps in the future. To counter threats like Fluhorse effectively, organizations should adopt proactive security measures.
Proactive Security Measures:
In conclusion, Fluhorse represents a significant and evolving Android malware threat that exploits Flutter-based apps as a disguise. To safeguard your organization's sensitive data, it is crucial to adopt proactive security measures. Stay vigilant, educate your employees, fortify authentication mechanisms, and implement robust endpoint security solutions. Additionally, enhance your defense strategy by partnering with Armoryze and leveraging our Managed Detection and Response (MDR) service.
Armoryze's MDR service goes beyond traditional security measures by providing continuous monitoring, threat detection, and rapid incident response. Our team of cybersecurity experts combines advanced technologies with human intelligence to identify and neutralize threats in real-time. By integrating Armoryze MDR into your security framework, you can enhance your organization's ability to detect and respond to sophisticated malware attacks like Fluhorse.