FluHorse malware is stealing sensitive data from Android users

Hotstar in UAE
Hotstar in UAE

Over the past few years, malware attacks on iOS and Android have become rampant, with threat actors constantly finding new ways to infiltrate our systems. Now, according to a report from Check Point Research (CPR), threat actors are using a new strain of malware called FluHorse to target Android users and steal sensitive information such as credit card data, passwords, and two-factor authentication codes.

The malware, which is primarily targeting users in East Asia, sends emails to high-profile individuals which prompt them to resolve a payment issue. However, the email contains a link that takes users to fake websites of legitimate apps, where the threat actors encourage them to install the fake app APK.

Once installed, the app requests SMS access to intercept the incoming 2FA codes and prompts the users to enter their login credentials and credit card information to resolve the payment issue. The app then displays a “system is busy” message for 10 minutes, during which it gathers sensitive information and transmits it to the attackers. Since the apps closely mimic the appearance of legitimate apps, many users fail to notice the limited functionality and malicious behavior.

The malware campaign, which has been active since last year, is targeting apps such as ETC, a toll-collection app used in Taiwan, VPBank Neo, a banking app in Vietnam, and an unnamed transportation app.

Warning to Android users

While threat actors are currently targeting users in East Asia, CheckPoint researchers have warned that the campaign could also spread to Western countries. And, since threat actors are constantly developing new FluHorse-infected apps, Android users should be cautious when receiving emails that urge them to take immediate action, as these emails may contain malware.

Moreover, to ensure best practice, users should never download apps or files from third-party websites or links provided in emails, regularly update their devices to the latest security patch, enable 2FA, and install trustworthy antivirus software.

attack chain

2023-05-08 15:17:13