Various sectors in East Asian markets have been subjected to a new email phishing campaign that distributes a previously undocumented strain of Android malware called FluHorse that abuses the Flutter software development framework.
"The malware features several malicious Android applications that mimic legitimate applications, most of which have more than 1,000,000 installs," Check Point said in a technical report. "These malicious apps steal the victims' credentials and two-factor authentication (2FA) codes."
The malicious apps have been found to imitate popular apps like ETC and VPBank Neo, which are widely used in Taiwan and Vietnam. Evidence gathered so far shows that the activity has been active since at least May 2022.
The phishing scheme in itself is fairly straightforward, wherein victims are lured with emails that contain links to a bogus website that hosts malicious APK files. Also added to the website are checks that aim to screen victims and deliver the app only if their browser User-Agent string matches that of Android.
Once installed, the malware requests for SMS permissions and prompts the user to input their credentials and credit card information, all of which is subsequently exfiltrated to a remote server in the background while the victim is asked to wait for several minutes.
The threat actors also abuse their access to SMS messages to intercept all incoming 2FA codes and redirect them to the command-and-control server.
The Israeli cybersecurity firm said it further identified a dating app that redirected Chinese-speaking users to rogue landing pages that are designed to capture credit card information.
Several high-profile organizations are said to be among the recipients of these phishing emails, including employees of the government sector and large industrial companies, with new infrastructure and fraudulent applications showing up every month.
Interestingly, the malicious functionality is implemented with Flutter, an open source UI software development kit that can be used to develop cross-platform apps from a single codebase.
While threat actors are known to use a variety of tricks like evasion techniques, obfuscation, and long delays before execution to resist analysis and get around virtual environments, the use of Flutter marks a new level of sophistication.
"The malware developers did not put much effort into the programming, instead relying on Flutter as a developing platform," the researchers concluded.
"This approach allowed them to create dangerous and mostly undetected malicious applications. One of the benefits of using Flutter is that its hard-to-analyze nature renders many contemporary security solutions worthless."