Android malware Fluhorse targets credit cards

Cybersecurity experts have recently disclosed the intricate workings of Fluhorse, an Android malware family.

The malware “represents a significant change, as it embeds malicious components directly into Flutter’s code,” Fortinet FortiGuard Labs researcher Axelle Apvrille said in a report published last week.

Fluhorsec Malware

In early May 2023, Check Point reported the emergence of Fluhorse, a malicious Android malware that targeted users in East Asia. This malware disguised itself as popular apps such as ETC and VPBank Neo, widely used in Taiwan and Vietnam respectively. Phishing served as the primary method of initial intrusion for this malware.

The ultimate goal of the app is to steal credentials, credit card information, and two-factor authentication codes (2FA) received via SMS and sending them to a remote server controlled by the hackers.

Apvrille explained that the decryption process of Fluhorse occurs at the native level, utilizing OpenSSL’s EVP cryptographic API to enhance protection against reverse engineering. The encryption algorithm employed is AES-128-CBC, with the implementation utilizing a static string as both the key and initialization vector (IV).

The decrypted payload, a ZIP file, contains within it a Dalvik executable file (.dex), which is then installed on the device to listen to incoming SMS messages and exfiltrate them to the remote server.

IOCS–Fluhorsec Malware

IOCS captured by fortinet:

2c05efa757744cb01346fe6b39e9ef8ea2582d27481a441eb885c5c4dcd2b65b

Other similar samples:

e8cdf809a5655124fa9347e7a90f071bed74907d3098737fd1184148ab475e39
6e7293564e7e2e051d42168b068535a7963974cdd6437a3242230b9593dc7f04
7cee6677790c493dddf16ff610a174e6536208f8853816cd0d71fc6bde56e93c
91f0a27ae5ca77930c21b19f33479e7abcb10dfcf2a92b690ccddea01434fe84
7dff0f7987f956c948847ea3659730408e35e4513b6adcd92d60ba48a93f62f1
6f0b3733f91a6af56bf5bc789b808475cb556f2d360131ef6a9082b98dfd0139
0a577ee60ca676e49add6f266a1ee8ba5434290fa8954cc35f87546046008388
25fee29a8cb3e6b71771897e34a58cf9c7c0be4805acabb36be886e93de03f62
663033dce1688186d6111c8637dd3bc79483bdb8fc1b2ad4d5ead030f79f84b7
6dbde61a3aa372e8af7aa049dd466a2892bbe0d1229866cb2ba46c8f61648a57
94bb98d9955947f9e7c502961e4b2a7724289e80b566035c14ac9fa6cf36df1c
852314984cbea056a782520654f84c828588b6a0163bdeb8f8d5016b05c205f9
c55feac16e7ca084f47a899281b566faf41b5666376353efeb9010fe5d23b526
0a106c851a267fb8590be1f033e995bfc559ffaf2be050b3f12f599e0c8c021c
32c427581a0368b66dd50b381772fb0d6dab30d8316f4e4f0d0373d453091cd0
7909593a310b245a1a92a78469be341b0849e6f1076af30f8266b1c5a861ead1
c25d533487499204771fac87787d38df91f0971b693dffa9b17fa0d92c80bfac
5af2ec81d09ecbf8c26a8887d96c948b3c61667b7ffc488fbd67239ea9ac2cd6
5481348e4751a494bc76ab4908071124f12624369401b717c7766e7d0645754d

‍Follow Us on: Twitter, Instagram, Facebook to get the latest security news!