Malware Disguised As Legitimate Android Apps

Uploaded on 2023-05-09 in FREE TO VIEW, BUSINESS-Services-IT & Telecoms, TECHNOLOGY--Hackers

Researchers at Check Point Software have spotted a concerning new malware strain, dubbed FluHorse. The malware operates via a set of malicious Android applications, each of which mimics a popular and legitimate app with over 100,000 installs. 

These malicious apps are designed to extract sensitive information, including user credentials and Two-Factor Authentication (2FA) codes which are widely used to secure sensitive online services and corporate resources. This typically requires the user to provide two different types of information to authenticate their identity to prove they are who they say they are before access is granted.

FluHorse targets multiple sectors in Eastern Asia and is typically distributed via email. In some cases, high-profile entities such as governmental officials were targeted at the initial stages of the phishing email attack. FluHorse is experiencing a major increase in cyber attacks, in the first quarter of 2023, the average organisation in the APAC region was attacked 1,835 times per week - a 16% increase over the first quarter of 2022.

One of FluHorse’s most worrying aspects is its ability to remain undetected for extended periods of time, making it a persistent and dangerous threat that is difficult to identify.

In their research, Check Point describe the different attacks, and provides examples of the phishing malicious applications, compared to the original, legitimate mimicked android apps, showing how difficult it may be to spot the differences. 

Mimicked Applications 

Cyber criminals often opt for popular apps with a high number of downloads to maximise the impact of their attack and gain greater traction. The attackers chose an eclectic selection of targeted sectors for specific countries, using one mimicked application in each country, including Tawian (Road Tolls and Vietnam (banking). Attackers have devised mimicked applications from reputable companies because they are confident that such applications will attract financially stable customers. This is because the companies behind these applications have a reputation for trustworthiness.

Luring Victims To Download Mimicked Apps

Phishing emails are one of the most common cyber threats that an organization and individuals may face. Phishing attacks can be used to accomplish a variety of goals for an attacker including stealing user credentials, data, and money, as well as delivering malware to a recipient’s computer or luring the victim to download a file. Check Point discovered multiple high-profile entities among the recipients of these specific emails in this attack, including employees of the government sector and large industrial companies.

How To Identify A Spoofed Email

Spoofed emails are part of phishing campaigns, which are designed to trick the recipient into taking some action that helps the attacker. If an email has an embedded link to click, an attachment, or requests some other action, then it is wise to check it for spoofing. In some cases, the attacker may use a real, lookalike address. In others, the value of the 'From' header may be replaced with a legitimate address that is not under the sender’s control.

While the first case can usually be detected by taking a careful look at the sender’s email address, the second are more tricky and require greater caution. Spoofed 'From'  addresses can be identified based on: 

Context: Phishing emails are designed to look legitimate, but they may not always succeed. If an email doesn’t sound like it came from the alleged sender, it may be a spoofed phishing email.

Reply-To: A Reply-To address enables replies to an email from one address to be directed to another. While this has legitimate uses (such as mass email campaigns), it is unusual and should be cause for suspicion for emails coming from a personal account.

Received: The 'Received' header in an email indicates the IP addresses and domain names of the computers and email servers along the path that the email traveled. An email from and to email addresses within the same company should only pass through the company’s email server.

Check Point advises businesses and individuals in the affected regions to remain vigilant and take steps to protect themselves against this sophisticated and potentially devastating new malware. Their full technical analysis can be found HERE

You Might Also Read: 

Trojan Malware Installed On Millions Of Android Devices:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Insurers Must Pay Merck's $1.4B Losses For NotPetya
Climate Change & Cyber Security »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Dragos

Dragos

Dragos has built the first industrial cybersecurity ecosystem, the ultimate security defense.

Advanced Systems International SAC

Advanced Systems International SAC

Advanced Systems international is a global company dedicated to data security software design, development, support, and licensing.

Enosys Solutions

Enosys Solutions

Enosys Solutions is an IT security specialist with a skilled professional services team and 24x7 security operations centre servicing corporate and public sector organisations across Australia.

Identifi Global Recruitment

Identifi Global Recruitment

Identifi Global is one of the UK's leading Cyber Security & IT Recruitment specialists.

Sixgill

Sixgill

Sixgill, an IoT sensor platform company, builds the universal data service and smart process automation software allowing any organization to effectively govern its IoE assets.

M12

M12

M12 (formerly Microsoft Ventures) is the corporate venture capital subsidiary of Microsoft.

SpecterOps

SpecterOps

SpecterOps has unique insight into the cyber adversary mindset and brings the highest caliber, most experienced resources to assess your organizations defenses.

Cybermerc

Cybermerc

Cybermerc's services, training programmes and cyber security solutions are designed to forge collaborations across industry, government and academia, for collective defence of our digital borders.

SecureAge Technology

SecureAge Technology

We’re a rapidly growing cybersecurity company with an 18-year history of ZERO Data breaches. Our security solutions place security and usability on equal footing. Learn more about our technology.

Deft

Deft

Deft (formerly ServerCentral Turing Group) is a trusted provider of colocation, cloud, and disaster recovery services.

Gridware

Gridware

Gridware is a specialised cybersecurity consultancy firm and an emerging global player in the cybersecurity intelligence and advisory field.

DH2i

DH2i

DH2i is a leading provider of multi-platform Software Defined Perimeter and Smart Availability software enabling customers to create an entire IT infrastructure that is always-secure and always-on.

ActiveFence

ActiveFence

ActiveFence enables Trust & Safety teams to be proactive about online integrity so they can keep their users safe from online harm – across content formats, languages, and abuse areas.

Seedcamp

Seedcamp

Seedcamp identify and invest early in world-class founders attacking large and global markets through disruptive technology in areas including AI, cybersecurity, and Fintech.

DeltaSpike

DeltaSpike

DeltaSpike empowers individuals and organizations worldwide through its comprehensive cybersecurity solutions.

Swick Technologies (SWICKtech)

Swick Technologies (SWICKtech)

SWICKtech offer IT managed services to increase IT security, stability, and performance for your organization.