A new email phishing campaign that distributes a previously undocumented strain of Android malware called FluHorse is targeting East Asian markets. The malware features several malicious Android applications that mimic legitimate applications, most of which have more than 1,000,000 installs. These malicious apps steal the victims' credentials and two-factor authentication (2FA) codes. The apps have been found to imitate popular apps like ETC and VPBank Neo, which are widely used in Taiwan and Vietnam. Evidence gathered so far shows that the activity has been active since at least May 2022. The phishing scheme in itself is fairly straightforward, wherein victims are lured with emails that contain links to a bogus website that hosts malicious APK files. Also added to the website are checks that aim to screen victims and deliver the app only if their browser User-Agent string matches that of Android. Once installed, the malware requests for SMS permissions and prompts the user to input their credentials and credit card information, all of which is subsequently exfiltrated to a remote server in the background while the victim is asked to wait for several minutes. The scheme was first discovered by Check Point, who released a technical report on the matter. They advise anyone who may have been affected to change their passwords and credit card information as soon as possible. As always, be vigilant when clicking on links in emails, even if they appear to come from a legitimate source.
top of page
bottom of page