Loan Scam Campaign 'MoneyMonger' Exploits Flutter to Hide Malware

Written by

Threat actors have been exploiting the open-source user interface (UI) software kit Flutter to deploy apps with critical security and privacy risks.

The findings come from security researchers at Zimperium, who published an advisory about the new threat earlier today.

“While Flutter has been a game changer for application developers, malicious actors have also taken advantage of its capabilities and framework,” the team wrote.

In particular, the Zimperium zLabs team said it recently discovered and analyzed a Flutter application with malicious code.

The code, part of a more extensive, predatory loan malware campaign previously discovered by K7 Security Labs, uses Flutter’s framework to obfuscate malicious features and complicate the detection of malicious activity via static analysis.

“Due to the nature of Flutter, the malicious code and activity now hide behind a framework outside the static analysis capabilities of legacy mobile security products,” wrote Fernando Ortega, malware researcher at Zimperium.

Dubbed by the team as 'MoneyMonger,' the malicious app has not reportedly been detected in official Android stores.

“This novel malware campaign is solely distributed through third-party app stores and sideloaded onto the victim’s Android device,” Ortega explained.

According to Ortega, the new variant of the malicious loan campaign has been active since at least May 2022.

“The MoneyMonger malware uses multiple layers of social engineering to take advantage of its victims, beginning with a predatory loan scheme, promising quick money to those who follow a few simple instructions,” wrote the security researcher.

In particular, once installed, the app prompts the user to grant several permissions on the mobile endpoint to ensure they are in good standing to receive the loan.

“This gives the victim confidence to enable the very revealing local permissions on the devices, enabling the malicious actors to steal private information from the endpoint," Ortega said. 

After a device is infected, the victim is then asked to pay a certain amount to get access back to the data. If they fail to pay on time, and in some cases even after repaying the loan, the hackers will threaten to reveal information, call contacts and even send photos stolen from the device.

“This level of social engineering puts victims under increased pressure to comply, often paying more than originally agreed upon to make it stop,” Ortega added.

More information about the MoneyMonger campaign, including a list of Indicators of Compromise (IoC), is available in the Zimperium advisory.

Its publication follows an Outseer report at the end of September suggesting that most online banking fraud today results from customers being tricked into paying scammers.

Update 16/12/2022. A Google Spokesperson told Infosecurity: "None of the identified malicious apps in the report are on Google Play. Google Play Protect checks Android devices with Google Play Services for potentially harmful apps from other sources. Google Play Protect will warn users that attempt to install or launch apps that have been identified to be malicious."

 

What’s hot on Infosecurity Magazine?