MoneyMonger Exploits Flutter Framework

Threat actors have been exploiting the open-source user interface software kit Flutter to deploy apps with critical security and privacy risks.

The Flutter has been a game changer for application developers, attackers  have taken advantage of its capabilities and framework. The code, part of a more extensive, predatory loan malware campaign previously discovered by K7 Security Labs, uses Flutter’s framework to obfuscate malicious features and complicate the detection of malicious activity via static analysis.

Dubbed as MoneyMonger, the malicious app has not reportedly been detected in official Android stores. This new variant of the malicious loan campaign has been active since at least May 2022.

It uses multiple layers of social engineering to take advantage of its victims, beginning with a predatory loan scheme, promising quick money to those who follow a few simple instructions.

Once after the  installation, the app prompts the user to grant several permissions on the mobile endpoint to ensure they are in good standing to receive the loan. This gives the victim confidence to enable the very revealing local permissions on the devices, enabling the malicious actors to steal private information from the endpoint.

The victim is then asked to pay a certain amount to get access back to the data after infected. If they fail to pay on time, and in some cases even after repaying the loan, the hackers will threaten to reveal information, call contacts, and even send photos stolen from the device.

The MoneyMonger malware campaign highlights a growing trend by malicious actors to use blackmail and threats to scam victims out of money. Like what is seen with ransomware, these types of campaigns are increasingly common due to their success in leaving victims feeling helpless in the situation.

Quick loan programs are often full of predatory models, such as high-interest rates and payback schemes, but adding blackmail into the equation increases the level of maliciousness. And due to the financial uncertainty, many people globally are experiencing, it is no surprise to find this malware type growing in popularity.

This research was documented by researchers for Zimperium

Indicators of Compromise

• 8db66f5794ce37cc1f3f341a2e3455c2dbdf1c80
• 1e8a2c8d649d0640eae53895d7297e1fbc737f5f
• 55ea2ff327015dcadfb54b3c3b000ae51f175f10
• 90aa04cf96df0a487008f374d9c60827ef34fed0
• 4f430eabdf27b750a23054fe25a9d27be1e74dd1
• 9b6fb2078d1bbea53a3194fc014b8f9356f90aea
• 07eb4126c4b18476ff2033c021569b3761c0d477
• 92911fd36f0a2e5e50dcc6d7a0e418cd28c7faa2
• 7dda134218ed4146844e09504bc249b107ad64d4
• 349a91b528fa5ed77a31d8663a41d2f3bc2915f0
• c1ecb0b5aed51b96e6ffc7ba5e2f3adce5abd92f
• 9ca5af1f9f594b4e19a77ace057441bc4cb010a5
• 38a921ac895e1d1d00030778e5c8609658deb037
• 53928ede30034f3528288318cb953d745d2e8ebb
• d58eeed6cbf924c164f4977fb0183995d141226d
• c14ce04526ea81f33f83ed0549d67e28372cd64b
• dfe405c12e34ad923cd1b37cacacaf4e2aa03724
• f266f7e0b813ebbee5e062578a4b59045fa54e2e
• 502a802b6ff3f054f58b116330ee8a3504ad73af
• ee3f9974bfec0d99cb40faa05c32ce88ca9f9eb4
• d58eeed6cbf924c164f4977fb0183995d141226d
• 6f78c8401f2d902556f5894ed57f43ad0c960c38
• b23ba35f30955fa811471a5aa7db35e60c7afb83
• f4f057f71c8aff5fe62659b325d57da4e6f9a6eb
• e19cc4344e30669c25d07fc208b8d153376433b8
• 3fd47e7e068aa6ca519ae07bd48ca8edbdeb7479
• d9e5acfd4131b069775ed906974d64e52c7b7ed0
• c4eee81efd3949b6a567457e4e60eb5ea103d488
• 8d50dbec837c1317ee5f171f835e67ff81f7a6e6
• 74a961fc6c0e8e2b4b99a52968a5b3e43d4ff3af
• 5cfc5a2375b0b77935612a9591aaadc9b7cf8267
• 1f0b55438f5f4377586fb1b2ef64abcd2b896d0c
• f38243081ff4654f064cb1d27e8b23299954c90b
• 1d351597d69f878c028f0dd5300823c6feb3ba40
• 326192ad67422da2f9d496bf15da0f5992db9d6f