Cybersecurity researchers have shared the internal workings of an Android malware household referred to as Fluhorse.
The malware “represents a major shift because it incorporates the malicious elements immediately throughout the Flutter code,” Fortinet FortiGuard Labs researcher Axelle Apvrille mentioned in a report printed final week.
Fluhorse was first documented by Verify Level in early Might 2023, detailing its assaults on customers positioned in East Asia by means of rogue apps masquerading as ETC and VPBank Neo, that are standard in Taiwan and Vietnam. The preliminary intrusion vector for the malware is phishing.
The final word objective of the app is to steal credentials, bank card particulars, and two-factor authentication (2FA) codes obtained as SMS to a distant server underneath the management of the menace actors.
The most recent findings from Fortinet, which reverse-engineered a Fluhorse pattern uploaded to VirusTotal on June 11, 2023, counsel that the malware has advanced, incorporating further sophistication by concealing the encrypted payload in a packer.
“Decryption is carried out on the native degree (to harden reverse engineering) utilizing OpenSSL’s EVP cryptographic API,” Apvrille defined. The encryption algorithm is AES-128-CBC, and its implementation makes use of the identical hard-coded string for the important thing and initialization vector (IV).”
The decrypted payload, a ZIP file, accommodates inside it a Dalvik executable file (.dex), which is then put in on the system to take heed to incoming SMS messages and exfiltrate them to the distant server.
“Reversing Flutter purposes statically is a breakthrough for anti-virus researchers, as, sadly, extra malicious Flutter apps are anticipated to be launched sooner or later,” Apvrille mentioned.
