FluHorse Underground Malware
admin
admin 1 year ago
admin #news

UnderGround Fluhorse Android Trojan steals SMS to intercept 2FA codes

In this article, explore the intriguing world of the Fluhorse Android malware, developed using the powerful Flutter SDK. Uncover its distinct features, distribution tactics, and nefarious operations. Delve into the encryption methods it employs and the permissions it seeks during installation

According to Fortinet, the Android malware that appeared in May was created using the Flutter SDK, which makes it very difficult to analyze. The latest Fluhorse sample reviewed by the experts also uses a packer to hide the malicious payload.

The open-source Flutter toolkit allows you to build applications compatible with Android, iOS, Linux, and Windows based on the same sources. Reverse engineering such programs is difficult, and analysts usually perceive them as a black box.

Virus writers appreciate these properties of Flutter but usually use it to create cross-platform UI elements, so the malware itself is easy to analyze. The Fluhorse Trojan, as it turned out, is a rare exception: its malicious components are built directly into the Flutter code.


Once launched, the malware tries to lure and steal credentials from the victim, and also steals one-time 2FA codes. It monitors incoming SMS messages and forwards them to its server. The Trojan is usually distributed via email campaigns, and it has over 100,000 downloads to its credit.


The May samples of Fluhorse, according to Fortinet, did not use obfuscation or compression. This month, researchers came across a packaged executable. The malware masqueraded as a legitimate toll control app popular in Southeast Asia.

Once launched, the malware tries to lure and steal credentials from the victim, and also steals one-time 2FA codes. It monitors incoming SMS messages and forwards them to its server. The Trojan is usually distributed via email campaigns, and it has over 100,000 downloads to its credit.


The current version of Fluhorse (detection rate 24/65 at the time of analysis) was first uploaded to VirusTotal on June 11th. It is given as an APK file from the site hxxps://fasd1[.]oss-ap-southeast-1.aliyuncs.com; calls to it from Asia, according to telemetry, have been observed since June 12.


The payload is encrypted (AES-128-CBC), archived, and the result is processed by the packer.

Once installed on the system, the payload loads a Flutter application that, when launched, asks for permissions to monitor incoming SMS. Listening is carried out in the background, and for this purpose, Dart Telephony, a legitimate open-source Flutter plugin, has been attached to the malware.

0
787

Login to Post comments

Comments 0
Researchers uncover details of how Predator spyware works

Researchers uncover details of how Predator spyware works

1673775682.png
admin
 1 year ago
Sorillus Rat Version 6.1

Sorillus Rat Version 6.1

1673775682.png
admin
 1 year ago
LockBit Black Builder 3.0 Analysis

LockBit Black Builder 3.0 Analysis

1673775682.png
admin
 1 year ago
Chinese Hackers Exploiting Google Play Store For Spreading Their Malware As File Manager

Chinese Hackers Exploiting Google Play Store For Spreading Their Malwa...

1673775682.png
admin
 1 year ago
Rouge Android Hacking Botnet + Setup Method

Rouge Android Hacking Botnet + Setup Method

1711171630.jpeg
Mr. ShellCode
 8 months ago