Researchers have warned Android users of a new malware that steals two-factor authentication (2FA) codes for various apps. Identified as FluHorse, the malware lures users by posing as legitimate Android applications and spreads its infections via phishing emails. Users must avoid clicking links received via unsolicited emails or messages to avoid falling victim to FluHorse.
FluHorse Android Malware Steals 2FA Codes
According to a recent report from Check Point Research, their research team identified a new malware, “FluHorse,” that targets Android users’ 2FA codes.
Briefly, the malware poses as various legit apps to trick users into downloading them. These include banking apps, dating apps, or even toll collection apps.
To reach target devices, the threat actors use phishing emails that seemingly take high-profile entities, like government officials, into the loop to add a sense of credibility to the emails.
Once installed, the malware seeks permission to access SMS messages, which empowers it to steal 2FA codes. On-screen, the app keeps showing the user a “system busy” message to avoid alerting the user. This gives time for the attacker to scan all the messages.
The two fake apps used in this campaign garnered over 1,000,000 downloads each. One of these mimicked “ETC” toll collection app and aimed at Taiwan users, whereas the other one impersonated the “VPBank Neo” banking app, striving to target users in Vietnam.
These apps copied the exact layout of the original apps (with some minor differences) to ensure generating no alarms for the victim users. The malicious apps require the victim users to input their credentials and credit card details. Then, having access to the OTPs or 2FA codes empowers the attacker to successfully exploit the victims’ payment and login details even if the user had set 2FA on the respective legit apps.
The malware’s activity dates back to May 2022, which hints about how FluHorse managed escaping detection for about a year. The researchers have attributed the malware’s less complicated structure as its evasive strategy.
Check Point advised users to avoid downloading malicious apps by securing their devices with a robust antimalware.