The inner workings of an Android malware family known as Fluhorse have been published by cybersecurity experts.
The malware “represents a significant shift in that it incorporates the malicious components directly within the Flutter code,” according to Fortinet FortiGuard Labs analyst Axelle Apvrille in a report published last week.
Check Point first discovered Fluhorse in early May 2023, revealing its attacks on East Asian customers using rogue apps masquerading as ETC and VPBank Neo, which are popular in Taiwan and Vietnam. Phishing is the malware’s first point of entry.
The app’s ultimate purpose is to send credentials, credit card information, and two-factor authentication (2FA) codes obtained by SMS to a remote server controlled by the threat actors.
According to Fortinet’s latest findings, which reverse-engineered a Fluhorse sample posted to VirusTotal on June 11, 2023, the virus has grown, including more sophistication by concealing the encrypted payload in a packer.
“Decryption is performed at the native level (to harden reverse engineering) using OpenSSL’s EVP cryptographic API,” Apvrille explained. The encryption algorithm is AES-128-CBC, and its implementation uses the same hard-coded string for the key and initialization vector (IV).”
The decrypted payload, a ZIP file, contains within it a Dalvik executable file (.dex), which is then installed on the device to listen to incoming SMS messages and exfiltrate them to the remote server.
“Reversing Flutter applications statically is a breakthrough for anti-virus researchers, as, unfortunately, more malicious Flutter apps are expected to be released in the future,” Apvrille said.