Zimperium, have revealed details of a newly discovered Android malware campaign hidden in money lending apps developed with Flutter, a software development kit used to create applications that work across multiple platforms, including Android and iOS
The team at Zimperium zLabs have unearthed MoneyMonger, a menace that takes advantage of personal data taken from a device to extort the victims into paying more than what the usurious loans necessitate.
The malicious code is a part of the predatory loan malware scheme previously discovered by K7 Security Labs.
This recently identified malicious software has been operational since May 2022 and is utilising a variety of methods of manipulating its targets. It starts with a fraudulent loan offer that promises a fast payout.
When the person attempts to access the app, they are informed that certain authorizations need to be granted on their mobile device in order for them to qualify for the loan.
MoneyMonger takes advantage of Flutter’s framework to obfuscate malicious features and complicate the detection of malicious activity by static analysis.
Due to the nature of Flutter, the malicious code and activity now hide behind a framework outside the static analysis capabilities of legacy mobile security products.
The MoneyMonger malware is distributed solely through third-party app stores or is sideloaded onto the victim’s device through phishing messages, compromised websites, social media campaigns or other tactics. It has not been found in any Android app stores.
Upon infiltrating a user’s device, MoneyMonger will send all kinds of private information to their server, including apps that are installed, GPS coordinates, text messages, contact list, device specifications, and other data related to images.
This stolen information is used to blackmail and threaten victims into paying excessively high-interest rates. If the victim fails to pay on time, and in some cases even after the loan is repaid, the malicious actors threaten to reveal information, call people from the contact list, and even send photos from the device.
MoneyMonger is a risk to individuals and enterprises because it collects a wide range of data from the victim’s device, including potentially sensitive enterprise-related material and proprietary information.
The malicious actors behind MoneyMonger are constantly developing and updating the app to avoid detections by adding XOR encryption in the string on the Java side, while also adding more information in the Flutter-dart side.
Richard Melick, Director of Mobile Threat Intelligence at Zimperium says the extremely novel MoneyMonger malware campaign highlights a growing trend by malicious actors to use blackmail and threats to scam victims out of money.
“Quick loan programs are often full of predatory models, such as high-interest rates and payback schemes, but adding blackmail into the equation increases the level of maliciousness.”
“Any device connected to enterprise data poses a risk to the enterprise if an employee falls victim to the MoneyMonger predatory loan scam on that device.,” said Melick,
It is unclear how many people have been affected by the malicious application due to its third-party store and sideloading distribution methods, but many of the unauthorised app stores have said that it was downloaded more than 100,000 times.
