This new Android malware is stealing passwords and 2FA codes — what you need to know

One phone with skull and crossbones on screen among several other clean-looking phones.
(Image credit: Marcos_Silva/Shutterstock)

Android smartphones are once again under attack by a new malware strain spread via malicious apps impersonating legitimate ones.

As reported by BleepingComputer, this new malware has been dubbed ‘FluHorse’ by security researchers at Check Point Research. So far, FluHorse has primarily been used to target users in Eastern Asian countries but as the campaign used to spread this malware is still ongoing, it remains an active threat that all Android users need to watch out for.

What makes FluHorse particularly dangerous is the malware’s ability to steal passwords and 2FA codes from infected devices. Likewise, most of the apps impersonated in this campaign have over one million installs according to Check Point’s report on the matter.

Using unpaid invoices as a lure

woman holding phone and credit card after being hacked

(Image credit: Shutterstock)

The FluHorse malware is currently being spread through malicious apps impersonating the Taiwanese toll app ETC and the Vietnamese banking app VPBank Neo. The legitimate versions of both of these apps each have over a million installations.

The attacks used in this campaign begin with malicious emails sent out to high-profile targets. The emails themselves use unpaid invoices as a lure and contain links to phishing sites where recipients are encouraged to download the APK file for the ETC, VPBank Neo or an unnamed transportation app used by 100,000 people.

Upon installation, all three malicious apps request SMS access on an infected Android smartphone in order to intercept incoming 2FA codes which are then used to hijack a victim’s accounts.

To appear more legitimate, all of these fake apps copy the user interfaces of their legitimate counterparts. However, after stealing a victim’s account credentials and credit card details, the apps show a message which says that “system is busy” for 10 minutes. This gives the hackers behind this campaign more time to steal data from victims while making the process appear realistic.

Once the process is complete, the hackers have everything they need to commit fraud or even identity theft. While the FluHorse malware has yet to be used on targets in English-speaking countries, campaigns similar to this one could be launched by cybercriminals looking to make a quick buck.

How to stay safe from phishing and malicious Android apps

Best antivirus software

(Image credit: Shutterstock)

As this campaign is a bit more complicated than previous ones we’ve covered in the past, you need to know how to spot a phishing campaign as well as how to stay safe from malicious apps to avoid falling victim to it.

For starters, the emails used in this campaign are classic examples of phishing attempts as they try to instill a sense of urgency in targeted users. If someone who receives an email like this is a high-profile target worried that they might owe someone money, they’re more likely to either respond to the email or click on the malicious link found inside it. This is why you always want to look out for emails from unknown senders — especially those that claim you have an unpaid invoice.

From here, you need to be extremely cautious when an email or a phishing site tries to convince you to download an APK file to sideload an Android app. Any legitimate business will host its apps on the Google Play Store instead of having you download and manually install them. Even if you did install one of these malicious apps, the fact that they ask for permission to read and send text messages sent to your phone is another red flag. Regardless of where you install an app from, you need to be careful when granting permissions as in doing so, you’re basically giving a great deal of control over your smartphone to an app.

To avoid falling victim to malicious apps and having your devices infected with malware, you want to make sure that Google Play Protect is enabled on your smartphone. This free app which comes pre-loaded on your phone scans both your existing apps and any new ones you download for malware. For extra protection though, you can also install one of the best Android antivirus apps.

As FluHorse is a new Android malware, we’ll likely see it used in other campaigns going forward which is why every Android user needs to be careful, both when checking your inbox and when installing new apps.

More from Tom's Guide

Anthony Spadafora
Senior Editor Security and Networking

Anthony Spadafora is the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to password managers and the best way to cover your whole home or business with Wi-Fi. Before joining the team, he wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home. 

  • Waxpatch
    In other words, if you remove built in protection from google and then download a fake banking app from a website, ignore the system warnings and give it full permissions…