Posted on May 14, 2023 at 8:58 AM
Researchers warn of new malware stealing 2FA authentication codes
Cybersecurity researchers have issued a warning to Android users about new malware. The malware in question steals two-factor authentication (2FA) codes for a wide range of applications. The malware in question is known as FluHorse, and it has the ability to allow a malicious actor to infiltrate the network and gain unauthorized access.
FluHorse malware steals 2FA codes
The FluHorse malware has lured users by posing as a legitimate application on Android. The malware spreads infection across Android devices by spreading infections through phishing emails.
One of the ways that users can avoid falling victim to this malware is by avoiding clicking links that have been sent using unsolicited emails and messages. The FluHorse malware can have significant effects on an Android user, as it can steal access to 2FA codes. If a threat actor has access to these codes, they can infiltrate sensitive apps on a device, including collecting financial information.
According to a report by Check Point, the research team had detected a new malware known as FluHorse, whose goal is to target Android users and infiltrate devices. The malware poses as legitimate applications, with the goal being to trick users into downloading them to cause havoc and infect a device.
The malware mimics a wide range of applications, including banking apps, dating apps, and toll-collection apps. To reach the target devices, the threat actors use phishing emails that largely target some of the most sensitive entities, including government officials. The emails have been configured in a manner that tricks the recipient into believing that there is a sense of credibility in these emails.
After the malware has been installed, it seeks permission to obtain access to SMS messages to empower it to steal access to 2FA codes. The app keeps allowing the user to display a “system busy” message to alert the user. This allows the attacker to gain time to scan all the messages that have been sent on the platform.
“These malicious apps steal the victims’ credentials and Two-Factor Authentication (2FA) codes. FluHorse targets different sectors of Eastern Asian markets and is distributed via emails. In some cases, the emails used in the first stage of the attacks belong to high-profile entities. The malware can remain undetected for months, making it a persistent, dangerous, and hard-to-spot threat,” the Check Point research said.
The two fake apps that have been used in this campaign have garnered more than one million downloads each. This shows that the extent of damage is severe, and it might have affected many Android users.
Malicious apps include banking apps
One of the apps that have been mimicked in this exploit is the “ETC” toll collection application, and it targets users in Taiwan. The other one has also impersonated the “VPBank Neo” banking application.
This banking app targets users based in Vietnam. The applications copy the exact layout of the original apps, but there are some slight differences that are observed between the two. The malicious players behind the attack focus on the similarities between these apps to guarantee that the victim will not be alarmed.
These malicious apps will also urge the victim users to provide their credentials and a variety of credit card details. Thereafter, the users will have access to the OTPs or the two-factor authentication codes that will empower the threat actor and allow them to successfully complete the payment of the victim and the login details.
These details will be exploited by the threat actor despite the user setting up a 2FA on legitimate apps. The malware activity in his case dates back to May last year, which shows the likelihood of the FluHorse malware escaping detection for around one year.
The researchers have attributed the less complicated structure of this malware to the reason why it has avoided detection, and it remains to be exploited and causing harm to Android users. Research by Check Point has said that users must avoid downloading malicious apps by ensuring their devices are secure using robust antimalware.
It is not the first time that Android devices have been targeted by malicious apps. Researchers have previously said that the Google Play Store contains some malicious apps that, if installed, could cause significant harm to users.
Google usually takes down these apps when they are reported or as soon as they are detected. However, by the time they are taken down, they have already caused significant damage to the users.