Blackmailers Leverage Flutter Framework in ‘MoneyMonger’ Malware
Blackmailers are using Flutter’s framework in a newly-discovered Android malware campaign.
Mobile security platform Zimperium’s zLabs team publicly identified the threat, which it dubbed MoneyMonger, on Thursday. The attack allows the malfeasant to steal personal information from a device when the end user applies for a microloan through financial apps. The attacker then leverages that personal information to blackmail victims into paying more than the terms that their predatory loans required.
MoneyMonger takes advantage of Flutter’s framework to “obfuscate malicious features and complicate the detection of malicious activity by static analysis,” the company said. “Static analysis from legacy mobile security tools do not have the capability to look into the Flutter framework for malicious activity, leaving devices, data, and people at risk,” it added.
Google built the Flutter framework atop Dart. Released in 2017, Flutter is an open source user interface software kit for cross-platform mobile applications, including Android and iOS.
The MoneyMonger malware is distributed through third-party app stores — although it has not been found in any Android app stores, the company stated — or is sideloaded onto the victim’s device through a phishing message, compromised website or social media campaigns, Zimperium said in a blog post. The code found is part of a larger predatory loan malware campaign previously discovered by K7 Security Labs and has been active since May 2022.
At this time, the total number of victims is unknown due to the use of third-party stores and sideloading for distribution, however many of the unauthorized app stores report over 100,000 downloads of the malicious application, the company stated.
Social Engineering
The malware relies on multiple layers of social engineering, beginning with a predatory loan scheme promising quick money, Zimperium stated. The intended victim is told while setting up the app that it requires certain permissions on the mobile device to ensure they are in good standing to receive the loan.
Once in, the attacker gains access to steal private information from the endpoint. MoneyMonger uploads victims’ personal data to its server, including installed apps, GPS locations, SMS, contact information, device information, metadata of images, and more, which is then used to blackmail the victim into paying excessively high-interest rates. If the victim fails to pay on time — and in some cases even after the loan is repaid — the attacker threatens to reveal information, call people from the contact list, and send photos from the device.
The malicious actors behind MoneyMonger are constantly developing and updating the app to avoid detections by adding XOR encryption in the string on the Java side while also adding more information in the Flutter-dart side, said Richard Melick, director of mobile threat intelligence at Zimperium. Developers should be aware of these types of activities, he added.
“Developers need to be aware that malicious actors use the same tools and techniques to produce malware to target devices, apps, or individuals,” Melick told The New Stack. “Apps are data troves of critical information, and if no security mindset is applied during their development, they could be susceptible to attack, exploit, and compromise later on.”
