FluHorse – CPR Exposes Newly Discovers Malware Disguised as Legitimate and Popular Android Apps Targeting East Asia
New Delhi, 9th May, 2023: Check Point Research (CPR) has spotted a concerning new malware strain, dubbed FluHorse. The malware operates via a set of malicious Android applications, each of which mimics a popular and legitimate app with over 100,000 installs. These malicious apps are designed to extract sensitive information, including user credentials and Two-Factor Authentication (2FA) codes.
Two-factor authentication (2FA) can improve security for anyone using an online service or accessing corporate resources. Basically, it requires the user to provide two different types of information to authenticate or prove they are who they say they are before access is granted.
FluHorse targets multiple sectors in Eastern Asia, and is typically distributed via email. In some cases, high-profile entities such as government officials were targeted during the initial stages of the phishing email attack. FluHorse comes as the APAC region is experiencing a major increase in cyberattacks – in the first quarter of 2023, the average organization in APAC was attacked 1,835 times per week according to Check Point Research. This is a 16% increase over the first quarter of 2022.
One of FluHorse’s most worrying aspects is its ability to remain undetected for extended periods of time, making it a persistent and dangerous threat that is difficult to identify. CPR urges businesses and individuals in the affected regions to remain vigilant and take steps to protect themselves against this sophisticated and potentially devastating new malware.
In this research, CPR describes the different attacks, and provides examples of the phishing malicious applications, compared to the original, legitimate mimicked Android apps, showing how difficult it may be to spot the differences.
According to Alexander Chailytko, Cyber Security, Research & Innovation Manager at Check Point Research:
“Cyber criminals are targeting organizations and individuals in Taiwan and Vietnam, amongst others, with a new, sophisticated type of Malware called FluHorse. By mimicking popular mobile apps for banking, transportation, and toll collection, the hackers are trying to steal sensitive information that can be used to bypass two-factor authorization (2FA) and gain access to the victim’s accounts.”
Cybercriminals often opt for popular apps with a high number of downloads to maximize the impact of their attack and gain greater traction.
This case was no exception.
The attackers chose an eclectic selection of targeted sectors for specific countries, using one mimicked application in each country:
Attackers targeted these mimicked applications from reputable companies because they are confident that such applications will attract financially stable customers. This is because the companies behind these applications have a solid reputation for trustworthiness.
The diagram below summarizes the phishing scheme in a graphical form: After the victim enters their credentials, it is sent to a server controlled by the attackers (C&C server). The malware then tells the victim to hold while the information is being processed. At the same time, the malware starts intercepting all incoming text messages, including any codes sent for two-factor authentication. If the attackers have stolen the victim’s login credentials or credit card information, they can use this to bypass the 2FA and gain access to the victim’s accounts.
Luring victims to download the mimicked apps
Phishing emails are one of the most common cyber threats that an organization and individuals may face. Phishing attacks can be used to accomplish a variety of goals for an attacker including stealing user credentials, data, and money, as well as delivering malware to a recipient’s computer or luring the victim to download a file.
CPR discovered multiple high-profile entities among the recipients of these specific emails in this attack, including employees from the government sector and large industrial companies.
This is an example of one of these luring emails, aiming to have the victim download the malicious app:
This is the email translation:
Dear eTag user
Your one-time toll of 128 yuan expires on January 10, 2023. To avoid
a fine of 300 yuan per transaction, please use your mobile phone to click
and download the Yuantong Electric Collection App as soon as possible
Pay online. https://www.fetc-net[.com
Far Eastern Electronic Toll Collection Co, Ltd.All Right Reserved.
Yuantong Electric has trademarks and copyrights, please do not copy or
reprint without authorization.
If you have any questions, please call Yuantong Customer Service Line 02-77161998.