Check Point Research has recently published a study revealing the discovery of a previously unknown malware variant dubbed FluHorse.
The malware comprises multiple malicious Android apps that impersonate legitimate ones, and unfortunately, most of these fake apps have already been installed by over 1,000,000 users.
All these malicious applications are designed to steal victims’ credentials and 2FA codes, compromising their personal and sensitive information.
FluHorse targets various industries across the Eastern Asian market and is distributed through email.
These attacks can prove persistent, dangerous, and challenging to detect, as they often leverage email accounts belonging to high-profile entities during the initial stages.
Attackers find applications that mimic trusted, reputable companies particularly enticing since they are likely to attract financially capable customers.
The legitimacy of these copied applications makes them even more appealing to hackers.
- ETC with 1,000,000+ Google Play installsVPBank
- Neo with 1,000,000+ Google Play installs
According to the ETC APK developer’s website, the application generates approximately 16 million transactions daily, with over 6 million users relying on its services.
VPBank, a major private bank in Vietnam, recorded total assets surpassing 631 trillion dongs as of December 2022, cementing its position as one of the country’s biggest financial institutions.
While the enterprise encompasses a diverse range of financial services like:-
- Spanning retail
- Consumer Finance
- Wealth management operations
Also, experts have noted the presence of other malicious dating applications’ presence. However, they have not discovered any corresponding applications that the malware attempts to impersonate.
The malicious applications contain nothing beyond multiple window replicas that offer the victim input options.
While the scheme’s effectiveness remains undisputed, regardless of the attackers’ intentions, once the victim enters their sensitive data, the information is swiftly exfiltrated to the command and control (C&C) server.
Upon reaching this step, the