“The malware represents a significant change because it directly incorporates malicious components within Flutter code,” Axel Appville, researcher at Fortinet FortiGuard Labs, said in a report published last week.
Flowhorse was first documented by Check Point in early May 2023, detailing its attacks on users based in East Asia through apps masquerading as ETC and VPBank Neo, popular in Taiwan and Vietnam. The initial infiltration vector for malware is phishing.
The app’s ultimate goal is to steal credentials, credit card details and two-factor authentication (2FA) codes received as SMS on a remote server under the control of threat actors.
The latest findings from Fortinet, which reverse-engineered the Flowhorse sample uploaded to VirusTotal on June 11, 2023, suggest the malware has evolved, adding additional sophistication by hiding an encrypted payload in a packer.
Apvrille explained, “Decryption is performed at the native level (for hardening reverse engineering) using OpenSSL’s EVP cryptographic API.” The encryption algorithm is AES-128-CBC, and its implementation uses the same hard-coded string for the key and initialization vector (IV).
The decrypted payload, a zip file, contains a Dalvik executable file (.dex), which is installed on the device to listen for incoming SMS messages and send them to a remote server.
Apvrille said, “While reversing Flutter applications statically is a success for anti-virus researchers, unfortunately, more malicious Flutter apps are expected to be released in the future.”
