UnderGround Fluhorse Android Trojan steals SMS to intercept 2FA codes
In this article, explore the intriguing world of the Fluhorse Android malware, developed using the powerful Flutter SDK. Uncover its distinct features, distribution tactics, and nefarious operations. Delve into the encryption methods it employs and the permissions it seeks during installation
2023-07-03 01:07:03 - admin
google.com, pub-8871368622125390, DIRECT, f08c47fec0942fa0According to Fortinet, the Android malware that appeared in May was created using the Flutter SDK, which makes it very difficult to analyze. The latest Fluhorse sample reviewed by the experts also uses a packer to hide the malicious payload.
The open-source Flutter toolkit allows you to build applications compatible with Android, iOS, Linux, and Windows based on the same sources. Reverse engineering such programs is difficult, and analysts usually perceive them as a black box.
Virus writers appreciate these properties of Flutter but usually use it to create cross-platform UI elements, so the malware itself is easy to analyze. The Fluhorse Trojan, as it turned out, is a rare exception: its malicious components are built directly into the Flutter code.
Once launched, the malware tries to lure and steal credentials from the victim, and also steals one-time 2FA codes. It monitors incoming SMS messages and forwards them to its server. The Trojan is usually distributed via email campaigns, and it has over 100,000 downloads to its credit.
The May samples of Fluhorse, according to Fortinet, did not use obfuscation or compression. This month, researchers came across a packaged executable. The malware masqueraded as a legitimate toll control app popular in Southeast Asia.
Once launched, the malware tries to lure and steal credentials from the victim, and also steals one-time 2FA codes. It monitors incoming SMS messages and forwards them to its server. The Trojan is usually distributed via email campaigns, and it has over 100,000 downloads to its credit.
The current version of Fluhorse (detection rate 24/65 at the time of analysis) was first uploaded to VirusTotal on June 11th. It is given as an APK file from the site hxxps://fasd1[.]oss-ap-southeast-1.aliyuncs.com; calls to it from Asia, according to telemetry, have been observed since June 12.
The payload is encrypted (AES-128-CBC), archived, and the result is processed by the packer.
Once installed on the system, the payload loads a Flutter application that, when launched, asks for permissions to monitor incoming SMS. Listening is carried out in the background, and for this purpose, Dart Telephony, a legitimate open-source Flutter plugin, has been attached to the malware.