FluHorse Underground Malware
admin 7 months ago
admin #news

UnderGround Fluhorse Android Trojan steals SMS to intercept 2FA codes

In this article, explore the intriguing world of the Fluhorse Android malware, developed using the powerful Flutter SDK. Uncover its distinct features, distribution tactics, and nefarious operations. Delve into the encryption methods it employs and the permissions it seeks during installation

According to Fortinet, the Android malware that appeared in May was created using the Flutter SDK, which makes it very difficult to analyze. The latest Fluhorse sample reviewed by the experts also uses a packer to hide the malicious payload.

The open-source Flutter toolkit allows you to build applications compatible with Android, iOS, Linux, and Windows based on the same sources. Reverse engineering such programs is difficult, and analysts usually perceive them as a black box.

Virus writers appreciate these properties of Flutter but usually use it to create cross-platform UI elements, so the malware itself is easy to analyze. The Fluhorse Trojan, as it turned out, is a rare exception: its malicious components are built directly into the Flutter code.


Once launched, the malware tries to lure and steal credentials from the victim, and also steals one-time 2FA codes. It monitors incoming SMS messages and forwards them to its server. The Trojan is usually distributed via email campaigns, and it has over 100,000 downloads to its credit.


The May samples of Fluhorse, according to Fortinet, did not use obfuscation or compression. This month, researchers came across a packaged executable. The malware masqueraded as a legitimate toll control app popular in Southeast Asia.

Once launched, the malware tries to lure and steal credentials from the victim, and also steals one-time 2FA codes. It monitors incoming SMS messages and forwards them to its server. The Trojan is usually distributed via email campaigns, and it has over 100,000 downloads to its credit.


The current version of Fluhorse (detection rate 24/65 at the time of analysis) was first uploaded to VirusTotal on June 11th. It is given as an APK file from the site hxxps://fasd1[.]oss-ap-southeast-1.aliyuncs.com; calls to it from Asia, according to telemetry, have been observed since June 12.


The payload is encrypted (AES-128-CBC), archived, and the result is processed by the packer.

Once installed on the system, the payload loads a Flutter application that, when launched, asks for permissions to monitor incoming SMS. Listening is carried out in the background, and for this purpose, Dart Telephony, a legitimate open-source Flutter plugin, has been attached to the malware.

0
385
Sorillus Rat  Version 6.1

Sorillus Rat Version 6.1

1673775682.png
admin
9 months ago
Bumblebee and IcedID Trojans Clash with PindOS: Unraveling the Tactics of Android Malware

Bumblebee and IcedID Trojans Clash with PindOS: Unraveling the Tactics...

1673775682.png
admin
7 months ago
What Is Malware?

What Is Malware?

1673775682.png
admin
1 year ago
Android malware uses versioning to bypass Play Store scanners

Android malware uses versioning to bypass Play Store scanners

1673775682.png
admin
6 months ago
Researchers uncover details of how Predator spyware works

Researchers uncover details of how Predator spyware works

1673775682.png
admin
8 months ago