FluHorse Mobile Malware Tagets Asian Victims

A novel email phishing campaign has targeted different industries in East Asian markets by disseminating a previously unknown type of Android malware named FluHorse that exploits the Flutter software development framework. The malware consists of numerous Android applications that resemble authentic applications, most of which have over one million downloads.

These malevolent apps pilfer victims' credentials and two-factor authentication codes. The malicious apps mimic famous apps like ETC and VPBank Neo, which are prevalent in Vietnam and Taiwan, and the scheme has been active since at least May 2022.

FluHorse Mode of Operation

The scam is simple, where victims are tricked into clicking links in emails that direct them to fake websites hosting harmful APK files. The sites contain checks that screen potential victims and only provide the app if their browser User-Agent string corresponds to that of Android. Once installed, the malware asks for SMS permissions and coerces users to input their login details and credit card information, which is then stolen and sent to a remote server.

Meanwhile, the malware intercepts all incoming 2FA codes and reroutes them to the command-and-control server. Furthermore, a dating app was discovered that sends Chinese-speaking users to fake landing pages created to capture credit card information. The phishing emails have targeted many notable institutions, including government employees and large industrial firms, with new fraudulent apps and infrastructure emerging every month.

FluHorse Built Using Flutter SDK

Surprisingly, the malware is designed using Flutter, an open-source UI software development kit that permits developers to create cross-platform apps with a single codebase. Even though malevolent actors frequently employ evasion tactics, obfuscation, and protracted delays before execution to evade analysis and bypass virtual environments, the use of Flutter indicates a higher degree of sophistication.