A "strain" of malware infecting Android devices
called FluHorse has been discovered by
Check Point Research (via BleepingComputer)
The malware is disseminated via email and will steal credit card data,
passwords, and even two-factor authorization (2FA) codes. The attacks have been
spotted in Eastern Asia since 2022 and usually start with an email sent to a
potential victim demanding that an immediate payment be made to clear up a
problem with an account.
The email includes a link taking the victim to fake versions
of legitimate apps. These phony apps include ETC, which is a toll-collection
app in Taiwan, and Vietnamese banking app VPBank Neo, a banking app in Vietnam.
The real versions of each app have over 1 million installs each from the Google
Play Store. Check Point also discovered that a fake version of a real transport
app with 100,000 installs is also being used, but this app was not named
Apps mimicked by the FluHorse malware. Image credit Check Point Research |
To hijack any 2FA codes sent, the three apps request SMS
access. With 2FA, a user can open an app or website by typing in a password and
a special code that is sent to the user's phone by text. The fake apps copy the
UIs of the real apps but don't do much outside of collecting the user's
information including credit card data. Then, to make it appear as though some
real processing is going on, the screen says "system is busy" for 10
minutes. What's really happening is that 2FA codes are being stolen along with
personal information.
How FluHorse works |
According to Check Point, this is an active and ongoing
threat to Android users and it is always best not to give away personal
information like credit card numbers and social security numbers online. And
just because this organized attack has been spotted in a different region of
the world, it doesn't mean that you should be lax when it comes to safeguarding
your personal data.