A recently released report from Check Point Research shows that a new type of malware has been discovered. Dubbed FluHorse, the malware is embedded into a series of fake Android apps that look like legitimate applications. One such application mimics a toll collection app, while another mimics a popular banking app.

This malware was designed to steal personal information – think usernames, passwords and 2FA codes. Hackers’ motives appear financial in nature. Distribution of the malware has occurred via email and adversaries have targeted sectors of the Eastern Asian market.

Multiple high-profile enterprises, particularly those within the government and industrial sectors, have found FluHorse malware within emails sent to employees.

Technical information

FluHorse was developed with an open source framework. The malware’s unsavory functionalities were created with Flutter, a Google-developed UI software development kit for cross-platform applications. Flutter’s custom virtual machine, support for various platforms and simplified use of GUI elements render it an appealing choice for malware developers.

“This approach allowed them to create dangerous and mostly undetected malicious applications. One of the benefits of using Flutter is that its hard-to-analyze nature renders many contemporary security solutions worthless,” said Check Point researchers.

More details…

As noted previously, FluHorse is delivered via assorted Android apps that mimic legitimate apps. Attackers chose to mimic applications from well-known companies, making the phony apps attractive to certain customers groups – who represent the attackers’ targets.

Once opened, the malicious Android apps show multiple windows that prompt victims to enter credentials. Any input credential information is sent to a hacker-controlled server. After capturing credentials, the apps display a “system is busy” message for roughly 10 minutes, giving the illusion of legitimacy.

Interception of text messages

Meanwhile, while the aforementioned transpires, FluHorse begins to intercept incoming text messages, including two-factor authentication codes. This enables the hackers to bypass 2FA and break into victims’ accounts, provided that the hackers have already stolen the relevant login credentials or credit card details.

In turn, FluHorse malware ultimately allows cyber criminals to access victims’ bank accounts and carry out identity theft, among other nefarious activities.

Escaping detection

The malware is believed to have first emerged in May of 2022, and managed to escape detection for about a year. Researchers say that the malware’s less complicated structure contributed to its evasive strategy.

One of the most concerning aspects of FluHorse pertains to its ability to remain undetected for extended lengths of time, rendering it a difficult-to-identify persistent threat.

Further insights

Each of the malicious apps that FluHorse mimics has over 100,000 installs. As a result, because users trust those names and brands, they may be likely to click on and open the fraudulent applications.

FluHorse has emerged amidst a surge in cyber attacks within the Asia Pacific region. During the first quarter of 2023, the average organization in Asia Pacific experienced 1,835 cyber attack attempts per week, reflecting a 16% increase over the prior year’s numbers.

Organizations are encouraged to stay vigilant and to take steps to protect themselves from new and sophisticated malware threats. For more insights into the most menacing malware of 2023, please see CyberTalk.org’s past coverage.

Lastly, to receive more cutting-edge cyber security news, best practices and analyses, please sign up for the CyberTalk.org newsletter.