A new Android malware known as ‘FluHorse’ has been discovered, which targets users in Eastern Asia with malicious apps that appear to be legitimate versions and has over a million installs.
These malicious apps, according to Check Point Research, are designed to steal sensitive information such as user credentials and Two-Factor Authentication (2FA) codes.
FluHorse malware is typically distributed via email and targets multiple sectors in Eastern Asia.
During the early stages of the phishing email attack, high-profile entities such as government officials were targeted in some cases.
One of the most concerning characteristics of FluHorse is its ability to go undetected for extended periods of time, making it a persistent and dangerous threat that is difficult to detect.
FluHorse attacks, according to the report, begin with targeted and malicious emails sent to high-profile individuals, urging them to take immediate action to resolve an alleged payment issue.
Typically, a hyperlink in the email directs the target to a phishing website. They are then prompted to download the bogus APK (Android package file) of the phony application.
The FluHorse carrier apps are designed to look like ‘ETC,’ a Taiwanese toll collection app, and ‘VPBank Neo,’ a Vietnamese banking app.
Both legitimate versions of these apps have over a million downloads on Google Play.
Furthermore, according to the report, all three fake apps request SMS access upon installation in order to intercept incoming 2FA codes in case they are required to hijack the accounts.
The fake apps mimic the original user interfaces but lack functionality beyond two to three windows that load forms that collect information from the victim.
After capturing the victims’ account credentials and credit card information, the apps display a “system is busy” message for 10 minutes to make the process appear realistic, while the operators act in the background to intercept 2FA codes and leverage the stolen data.