A new email phishing campaign distributing Android malware called FluHorse is targeting various sectors in East Asian markets, warns cybersecurity company Check Point. The malware includes several malicious Android apps that mimic legitimate ones and have more than 1 million installs.
The apps steal victims’ credentials and 2FA codes, while requests for SMS permissions prompt users to input credit card information.
The phishing scheme lures victims with emails containing links to a bogus website that hosts malicious APK files. The website has checks in place to screen victims and deliver the app only if their browser User-Agent string matches that of Android.
The malware then exfiltrates stolen information to a remote server in the background while the victim waits for several minutes.
The malware imitates popular apps like ETC and VPBank Neo, which are widely used in Taiwan and Vietnam. Evidence shows that the activity has been active since at least May 2022. The use of Flutter, an open-source UI software development kit that enables cross-platform app development from a single codebase, marks a new level of sophistication among threat actors.
This approach allowed the malware developers to create dangerous and mostly undetected malicious applications, making many contemporary security solutions worthless.
Several high-profile organizations, including employees of the government sector and large industrial companies, have been among the recipients of these phishing emails.
