Malware Disguised As Legitimate Android Apps

Researchers at Check Point Software have spotted a concerning new malware strain, dubbed FluHorse. The malware operates via a set of malicious Android applications, each of which mimics a popular and legitimate app with over 100,000 installs. 

These malicious apps are designed to extract sensitive information, including user credentials and Two-Factor Authentication (2FA) codes which are widely used to secure sensitive online services and corporate resources. This typically requires the user to provide two different types of information to authenticate their identity to prove they are who they say they are before access is granted.

FluHorse targets multiple sectors in Eastern Asia and is typically distributed via email. In some cases, high-profile entities such as governmental officials were targeted at the initial stages of the phishing email attack. FluHorse is experiencing a major increase in cyber attacks, in the first quarter of 2023, the average organisation in the APAC region was attacked 1,835 times per week - a 16% increase over the first quarter of 2022.

One of FluHorse’s most worrying aspects is its ability to remain undetected for extended periods of time, making it a persistent and dangerous threat that is difficult to identify.

In their research, Check Point describe the different attacks, and provides examples of the phishing malicious applications, compared to the original, legitimate mimicked android apps, showing how difficult it may be to spot the differences. 

Mimicked Applications 

Cyber criminals often opt for popular apps with a high number of downloads to maximise the impact of their attack and gain greater traction. The attackers chose an eclectic selection of targeted sectors for specific countries, using one mimicked application in each country, including Tawian (Road Tolls and Vietnam (banking). Attackers have devised mimicked applications from reputable companies because they are confident that such applications will attract financially stable customers. This is because the companies behind these applications have a reputation for trustworthiness.

Luring Victims To Download Mimicked Apps

Phishing emails are one of the most common cyber threats that an organization and individuals may face. Phishing attacks can be used to accomplish a variety of goals for an attacker including stealing user credentials, data, and money, as well as delivering malware to a recipient’s computer or luring the victim to download a file. Check Point discovered multiple high-profile entities among the recipients of these specific emails in this attack, including employees of the government sector and large industrial companies.

How To Identify A Spoofed Email

Spoofed emails are part of phishing campaigns, which are designed to trick the recipient into taking some action that helps the attacker. If an email has an embedded link to click, an attachment, or requests some other action, then it is wise to check it for spoofing. In some cases, the attacker may use a real, lookalike address. In others, the value of the 'From' header may be replaced with a legitimate address that is not under the sender’s control.

While the first case can usually be detected by taking a careful look at the sender’s email address, the second are more tricky and require greater caution. Spoofed 'From'  addresses can be identified based on: 

Context: Phishing emails are designed to look legitimate, but they may not always succeed. If an email doesn’t sound like it came from the alleged sender, it may be a spoofed phishing email.

Reply-To: A Reply-To address enables replies to an email from one address to be directed to another. While this has legitimate uses (such as mass email campaigns), it is unusual and should be cause for suspicion for emails coming from a personal account.

Received: The 'Received' header in an email indicates the IP addresses and domain names of the computers and email servers along the path that the email traveled. An email from and to email addresses within the same company should only pass through the company’s email server.

Check Point advises businesses and individuals in the affected regions to remain vigilant and take steps to protect themselves against this sophisticated and potentially devastating new malware. Their full technical analysis can be found HERE

You Might Also Read: 

Trojan Malware Installed On Millions Of Android Devices:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« Insurers Must Pay Merck's $1.4B Losses For NotPetya
Climate Change & Cyber Security »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

DigiCert

DigiCert

DigiCert is the only provider of enterprise-grade SSL, IoT and PKI solutions. Our certificates are trusted everywhere, millions of times every day, by companies across the globe.

Engage Black

Engage Black

Engage Black provides solutions for securing and protecting cryptographic keys, data at rest, and data in motion.

CyberForce Program - US Department of Energy

CyberForce Program - US Department of Energy

The Department of Energy’s (DOE) CyberForce Program is a workforce development program that seeks to inspire and develop the next generation of cyber defenders for the energy sector.

Safetica

Safetica

Safetica Technologies is a Czech software company that delivers data protection solutions for businesses of all types and sizes.

Assertion

Assertion

Assertion secures your collaboration (UC/CC) systems from cyber risks. Enforcing the right set of controls and monitoring them continually brings down risk to acceptable levels.

ABS Group

ABS Group

ABS Group provides risk and reliability solutions and technical services that help clients confirm the safety, integrity and security of critical assets and operations.

LevelOps

LevelOps

LevelOps is an industry application security platform that tracks and develops your application security.

Cyber Pop-Up

Cyber Pop-Up

Cyber Pop-Up provide on-demand access to top security experts. No recruiting. No onboarding. No overhead costs.

Digital Craftsmen Ltd

Digital Craftsmen Ltd

We're ISO27001 & Cyber Essentials Cybersecurity experts, delivering full cloud security and managed services. We take a bespoke approach for each client from hosting, optimising & securing them online

Securolytics

Securolytics

Securolytics offers the simplest, most complete and affordable IoT security for all organizations. Securolytics quickly identifies unmanaged devices to reduce security and compliance risks.

SynSaber

SynSaber

SynSaber is a data collection, detection, and visibility solution that forms the foundation of industrial cybersecurity.

Cynalytica

Cynalytica

Cynalytica deliver pioneering cybersecurity and machine analytics technologies that help protect critical infrastructure, securely enable Industry 4.0 and help accelerate digital transformation.

Enzen

Enzen

Enzen is a global knowledge practice that provides consulting, technology, engineering, operating and innovation services to the energy and utility sectors.

Encova Insurance

Encova Insurance

Encova’s cyber liability coverage protects you and your customers in case of a security breach in your company's data.

Fireblocks

Fireblocks

Fireblocks is a digital asset security platform that helps financial institutions protect digital assets from theft or hackers.

Cytex

Cytex

Cytex is the All-in-One solution for SMB data protection & compliance needs.