This dangerous new Android malware can steal your passwords and 2FA codes

May 9, 2023

1 minute read

(Image credit: Future | Alex Walker-Todd)

Multiple Android apps found distributing an infostealer

Cybersecurity experts from Check Point Research recently discovered a new malware campaign targeting Android users in Easter Asia. In the campaign, the threat actors built mobile apps that mimicked actual solutions and tried to trick people into downloading them.

Those that would fall for the trick would end up giving sensitive personal data, such as pas sword and banking details, to the hackers.

The researchers dubbed the malware “FluHorse”, reporting its operators have been active for a year now. The criminals would try to distribute the malware via email, sending phishing emails to “high-profile” targets telling them to download an app and sort out a pending payment problem.

Low effort

Some of the apps being distributed through these email messages are Taiwanese toll-collection app ETC, VPBank Neo, a Vietnamese banking app, and an unnamed transportation app. The legitimate versions of the first two apps have more than a million downloads, while the third one has 100,000 downloads.The operators didn’t really try to copy the legitimate apps completely, the researchers found, but rather just copied a few windows and mimicked the graphic user interface (GUI). As soon as the victim enters their account credentials and credit card details, the app would display a “system is busy” message, in an attempt to buy time, as it shares the stolen data with the attackers.

The apps are also capable of intercepting multi-factor authentication (MFA) codes, as well.

The common denominator for all email-borne Android attacks is that they all invite the victim to “urgently” download an app from a third-party repository, which would then ask for plenty of permissions. To stay safe, it’s best to use common sense – emails from legitimate companies rarely have “urgent” requests, and would not have their official apps sitting on shady, third-party repositories. Finally, asking for excessive permissions is a major red flag, as well.