Friday, June 21, 2024

New Weaponized Android Apps With 1M Installs Steals 2FA Codes & Passwords

Android Malware Steals 2FA Codes. Check Point Research has recently published a study revealing the discovery of a previously unknown malware variant dubbed FluHorse.

The malware comprises multiple malicious Android apps that impersonate legitimate ones, and unfortunately, most of these fake apps have already been installed by over 1,000,000 users.

All these malicious applications are designed to steal victims’ credentials and 2FA codes, compromising their personal and sensitive information.

FluHorse targets various industries across the Eastern Asian market and is distributed through email.

These attacks can prove persistent, dangerous, and challenging to detect, as they often leverage email accounts belonging to high-profile entities during the initial stages.

Mimicked Apps

Attackers find applications that mimic trusted, reputable companies particularly enticing since they are likely to attract financially capable customers. 

The legitimacy of these copied applications makes them even more appealing to hackers.

  • ETC with 1,000,000+ Google Play installsVPBank
  • Neo with 1,000,000+ Google Play installs

According to the ETC APK developer’s website, the application generates approximately 16 million transactions daily, with over 6 million users relying on its services.

VPBank, a major private bank in Vietnam, recorded total assets surpassing 631 trillion dongs as of December 2022, cementing its position as one of the country’s biggest financial institutions.

While the enterprise encompasses a diverse range of financial services like:-

  • Spanning retail
  • Corporate
  • Consumer Finance
  • Wealth management operations

Also, experts have noted the presence of other malicious dating applications’ presence. However, they have not discovered any corresponding applications that the malware attempts to impersonate.

Targeted banks

Infection Chain

The malicious applications contain nothing beyond multiple window replicas that offer the victim input options.

While the scheme’s effectiveness remains undisputed, regardless of the attackers’ intentions, once the victim enters their sensitive data, the information is swiftly exfiltrated to the command and control (C&C) server.

Upon reaching this step, the SMS interception feature takes over, redirecting all incoming SMS traffic to the server under the attacker’s control.

The malware actors intercept any Two Factor Authentication (2FA) codes when prompted in the event they have already entered stolen credentials or credit card data.

Attack Chain

Moreover, the email lures serve as an effective social engineering tactic and are consistent with the supposed intent of the malicious APK (like paying tolls) installed afterward.

Cloned apps

To achieve the objective, assessing Flutter-based applications requires intermediate steps compared to analyzing pure Android apps.

The Flutter framework uses a custom virtual environment that enables developers to develop across multiple platforms using a single code set.

The Flutter platform utilizes a particular programming language called Dart for its development. At the same time, the availability of the Flutter platform code as an open-source project makes analysis somewhat more straightforward.

Toolchain

The malicious samples have multiple layers of technical implementation.

Despite the simple, functional aspect, analysts deduce that the malware developers utilized Flutter as a developing platform, indicating minimal programming effort.

Since May 2022, FluHorse activity has been under the radar of cybersecurity researchers.

Their analysis reveals the persistent danger of these campaigns as fresh infrastructure nodes and malicious applications surface every month.

Website

Latest articles

PrestaShop Website Under Injection Attack Via Facebook Module

A critical vulnerability has been discovered in the "Facebook" module (pkfacebook) from Promokit.eu for...

Beware Of Illegal OTT Platforms That Exposes Sensitive Personal Information

A recent rise in data breaches from illegal Chinese OTT platforms exposes that user...

Beware Of Zergeca Botnet with Advanced Scanning & Persistence Features

A new botnet named Zergeca has emerged, showcasing advanced capabilities that set it apart...

Mailcow Mail Server Vulnerability Let Attackers Execute Remote Code

Two critical vulnerabilities (CVE-2024-31204 and CVE-2024-30270) affecting Mailcow versions before 2024-04 allow attackers to...

Hackers Attacking Vaults, Buckets, And Secrets To Steal Data

Hackers target vaults, buckets, and secrets to access some of the most classified and...

Hackers Weaponizing Windows Shortcut Files for Phishing

LNK files, a shortcut file type in Windows OS, provide easy access to programs,...

New Highly Evasive SquidLoader Attacking Employees Mimic As Word Document

Researchers discovered a new malware loader named SquidLoader targeting Chinese organizations, which arrives as...
Guru baran
Guru baranhttps://gbhackers.com
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles