Malware Disguised As Legitimate Android Apps

Uploaded on 2023-05-09 in FREE TO VIEW, BUSINESS-Services-IT & Telecoms, TECHNOLOGY--Hackers

Researchers at Check Point Software have spotted a concerning new malware strain, dubbed FluHorse. The malware operates via a set of malicious Android applications, each of which mimics a popular and legitimate app with over 100,000 installs. 

These malicious apps are designed to extract sensitive information, including user credentials and Two-Factor Authentication (2FA) codes which are widely used to secure sensitive online services and corporate resources. This typically requires the user to provide two different types of information to authenticate their identity to prove they are who they say they are before access is granted.

FluHorse targets multiple sectors in Eastern Asia and is typically distributed via email. In some cases, high-profile entities such as governmental officials were targeted at the initial stages of the phishing email attack. FluHorse is experiencing a major increase in cyber attacks, in the first quarter of 2023, the average organisation in the APAC region was attacked 1,835 times per week - a 16% increase over the first quarter of 2022.

One of FluHorse’s most worrying aspects is its ability to remain undetected for extended periods of time, making it a persistent and dangerous threat that is difficult to identify.

In their research, Check Point describe the different attacks, and provides examples of the phishing malicious applications, compared to the original, legitimate mimicked android apps, showing how difficult it may be to spot the differences. 

Mimicked Applications 

Cyber criminals often opt for popular apps with a high number of downloads to maximise the impact of their attack and gain greater traction. The attackers chose an eclectic selection of targeted sectors for specific countries, using one mimicked application in each country, including Tawian (Road Tolls and Vietnam (banking). Attackers have devised mimicked applications from reputable companies because they are confident that such applications will attract financially stable customers. This is because the companies behind these applications have a reputation for trustworthiness.

Luring Victims To Download Mimicked Apps

Phishing emails are one of the most common cyber threats that an organization and individuals may face. Phishing attacks can be used to accomplish a variety of goals for an attacker including stealing user credentials, data, and money, as well as delivering malware to a recipient’s computer or luring the victim to download a file. Check Point discovered multiple high-profile entities among the recipients of these specific emails in this attack, including employees of the government sector and large industrial companies.

How To Identify A Spoofed Email

Spoofed emails are part of phishing campaigns, which are designed to trick the recipient into taking some action that helps the attacker. If an email has an embedded link to click, an attachment, or requests some other action, then it is wise to check it for spoofing. In some cases, the attacker may use a real, lookalike address. In others, the value of the 'From' header may be replaced with a legitimate address that is not under the sender’s control.

While the first case can usually be detected by taking a careful look at the sender’s email address, the second are more tricky and require greater caution. Spoofed 'From'  addresses can be identified based on: 

Context: Phishing emails are designed to look legitimate, but they may not always succeed. If an email doesn’t sound like it came from the alleged sender, it may be a spoofed phishing email.

Reply-To: A Reply-To address enables replies to an email from one address to be directed to another. While this has legitimate uses (such as mass email campaigns), it is unusual and should be cause for suspicion for emails coming from a personal account.

Received: The 'Received' header in an email indicates the IP addresses and domain names of the computers and email servers along the path that the email traveled. An email from and to email addresses within the same company should only pass through the company’s email server.

Check Point advises businesses and individuals in the affected regions to remain vigilant and take steps to protect themselves against this sophisticated and potentially devastating new malware. Their full technical analysis can be found HERE

You Might Also Read: 

Trojan Malware Installed On Millions Of Android Devices:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Insurers Must Pay Merck's $1.4B Losses For NotPetya
Climate Change & Cyber Security »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

National Defense Industry Association (NDIA) - USA

National Defense Industry Association (NDIA) - USA

The National Defense Industrial Association Cyber Division contributes to US national security by promoting interaction between the cyber defense industry, government and military.

Epati Information Technologies

Epati Information Technologies

ePati Information Technologies is a specialist in information technology and cyber security.

H-ON Consulting

H-ON Consulting

H-ON Consulting develops and applies robust cyber security procedures enabling control systems to be secure.

CultureAI

CultureAI

CultureAI deliver intelligent cyber security awareness education and tools that build resilient security cultures where employees help defend.

ePLDT

ePLDT

ePLDT delivers best-in-class digital business solutions that include Cloud, Cyber Security, purpose-built Data Center facilities and Managed IT Services.

FAIR Institute

FAIR Institute

The FAIR Institute is a non-profit professional organization dedicated to advancing the discipline of measuring and managing information risk.

Prodera Group

Prodera Group

Prodera Group is a specialist technology consulting partner trusted to help navigate the complex and dynamic lifecycle of change and transformation.

StackHawk

StackHawk

StackHawk is built to help dev teams ship secure code. Find and fix bugs early before they become vulnerabilities in production.

Indevis

Indevis

Indevis provides IT security, datacenter and network solutions, accompanied by professional consulting, management and support services.

Retruster

Retruster

Protect your users against phishing emails, ransomware & fraud with the most advanced, user-friendly, non-intrusive solution available.

Performance Technologies

Performance Technologies

As a leading IT Solutions Provider in Greece, Performance Technologies delivers reliable, long life solutions, ensuring continuous availability of business-critical services and information.

Northrop Grumman

Northrop Grumman

Northrop Grumman is a global provider and integrator of complex, advanced and rapidly adapting information technology, cybersecurity, mobility and optimized services and solutions.

Rescana

Rescana

Rescana offers a cyber risk management platform with the vision to remove the security team bottlenecks, accelerating business processes that require risk assessment.

Identifid

Identifid

Identifid offers a suite of fraud prevention and identity authentication solutions to businesses and governments using the latest advances in AI, vision processing, and biometric recognition.

NuKuDo

NuKuDo

NukuDo redefine the boundaries of cybersecurity talent development. We are dedicated to cultivating top-tier professionals equipped to tackle the complex challenges of cybersecurity.

CBIT Digital Forensics Services (CDFS)

CBIT Digital Forensics Services (CDFS)

CDFS is Australia’s premier supplier of digital forensic tools, industry-embedded training and certification to Law Enforcement, Government, and Corporate Enterprise.