A cybersecurity researcher shared the inner workings of an “Android malware family.” full hose.
In a report released last week, Axelle Apvrille, a researcher at Fortinet FortiGuard Labs, said the malware “implements malicious components directly within the Flutter code, marking a significant change.” .
Fluhorse was first documented by Checkpoint in early May 2023, detailing attacks against users in East Asia via malicious apps masquerading as ETC and VPBank Neo, popular in Taiwan and Vietnam. The first entry vector for malware is phishing.
The ultimate goal of this app is to steal credentials, credit card details and two-factor authentication (2FA) codes received as SMS to a remote server under the control of the attacker.
Fortinet’s latest research, which reverse-engineered a Fluhorse sample that was uploaded to VirusTotal on June 11, 2023, shows that the malware has evolved and incorporated further sophistication by hiding an encrypted payload in a packer. suggests that there are
“Decryption is performed at a native level (to enhance reverse engineering) using OpenSSL’s EVP encryption API,” explained Apvrille. The encryption algorithm is his AES-128-CBC, whose implementation uses the same hardcoded strings for the key and initialization vector (IV).
The decrypted payload, a ZIP file, contains a Dalvik executable (.dex). This file is installed on the device and listens for incoming SMS messages and spills them to a remote server.
“Unfortunately, we expect more malicious Flutter apps to be released in the future, so statically reversing Flutter applications is a breakthrough for antivirus researchers,” said Apvrille. says.
