The FluHorse malware features several malicious Android applications that mimic legitimate applications each with more than 100,000 installs. These malicious apps steal the victims’ credentials and Two-Factor Authentication (2FA) codes. FluHorse targets different sectors of Eastern Asian markets and is distributed via emails. In some cases, the emails used in the first stage of the attacks belong to high-profile entities. The malware can remain undetected for months making it a persistent, dangerous, and hard-to-spot threat.
Quite surprisingly, no custom implemented tricks are used inside FluHorse, as the malware authors relied solely on an open-source framework for the development process of malicious functionality. It is implemented with Flutter – an open-source UI software development kit created by Google and is used to develop cross-platform applications for various platforms, including Android and iOS for mobile devices, with a single codebase. What makes Flutter an appealing choice for malware developers is the use of a custom virtual machine to support different platforms and its ease of use for creation of GUI elements. Analyzing such applications is complicated, due to the custom VM, which makes this framework a perfect solution for Android phishing attacks, as it turned out to be.
In our research, we describe different targeted markets in several countries and compare phishing applications with the legitimate ones – differences are pretty hard to spot at first glance. We give credits to the available tools for Flutter-application analysis while also providing the enhancements that resulted in our open-source contribution: https://github.com/Guardsquare/flutter-re-demo/pull/4. We go through all the pitfalls encountered during our research and provide solutions on how to bypass them. Finally, we give an overview of Command-and-Control communication of the malware as well as dive deeply into the details of the network infrastructure analysis.