Executive Summary
Flutter, the open-source user interface (UI) software kit for cross-platform mobile applications, has helped drive new mobile applications onto the market. This modern mobile application framework removes many barriers to creating multi-platform applications, and developers can create native mobile apps with only one codebase. While Flutter has been a game changer for application developers, malicious actors have also taken advantage of its capabilities and framework, deploying apps with critical security and privacy risks to unsuspecting victims.
During a routine analysis of applications, the Zimperium zLabs team recently discovered and analyzed a Flutter application with malicious code. This code, part of a larger predatory loan malware campaign previously discovered by K7 Security Labs, takes advantage of Flutter’s framework to obfuscate malicious features and complicate the detection of malicious activity by static analysis. Due to the nature of Flutter, the malicious code and activity now hide behind a framework outside the static analysis capabilities of legacy mobile security products.
The Flutter-obfuscated malware campaign, which we have named MoneyMonger, has not been detected in official Android stores. This novel malware campaign is solely distributed through third-party app stores and sideloaded onto the victim’s Android device. The new variant of this predatory loan campaign has been active since May 2022. Most commonly, these types of campaigns take advantage of social engineering through phishing messages, compromised websites, rogue WiFi networks, and social media to distribute the download links.
The MoneyMonger malware uses multiple layers of social engineering to take advantage of its victims, beginning with a predatory loan scheme, promising quick money to those who follow a few simple instructions. In the process of setting up the app, the victim is told that permissions are needed on the mobile endpoint to ensure they are in good standing to receive the loan. This gives the victim confidence to enable the very revealing local permissions on the devices, enabling the malicious actors to steal private information from the endpoint.
Finally, if the victim fails to pay on time, and in some cases even after the loan is repaid, the malicious actors behind the predatory campaign will threaten to reveal information, call people from the contact list, and even send photos stolen from the device. This level of social engineering puts victims under increased pressure to comply, often paying more than originally agreed upon to make it stop.
Flutter’s use in the developer world has changed the face of mobile application development, and it is no surprise that malicious actors followed in their footsteps to quickly develop and deploy new variants of malware, just as they did with MoneyMonger.
What Threat Does MoneyMonger Pose?
MoneyMonger collects critical and personal data on unsuspecting victims, uploading the stolen information to its server, including installed apps, GPS locations, SMS, contact information, device information, metadata of images, and more. This stolen information is then used by malicious actors to blackmail and threaten the victims into paying excessively high-interest rates. As seen in the screenshots below, reviews of this app show the predatory and threatening behaviors behind the malicious actors.
Due to the nature of the data theft and blackmail in this predatory loan campaign, this malware poses a risk to enterprises just as it does to individuals. The malicious application collects a wide range of data from the victim’s device, and any enterprise-related material would be included in this theft, including potentially sensitive and proprietary information. Any device connected to enterprise data, whether corporate-owned or part of a BYOD policy, poses a risk to the enterprise if a user uses that device for the MoneyMonger predatory loan scam.
How MoneyMonger Works
The malicious actors behind MoneyMonger are constantly developing and updating the app to avoid detections by adding XOR encryption in the string on the Java side while also adding more information in the Flutter-dart side.
The MoneyMonger infected app requests access to the following permissions in order to collect and exfiltrate a wide variety of data and perform a wide range of malicious actions:
- Camera Access
- Contact List
- GPS Location Data
- Sound Recording
- Call Logs
- SMS Lists
- Storage and File Lists
Similar to other mobile malware and spyware we have discovered, the MoneyMonger malware requests permissions from the victim in order to carry out the collection of critical and private information. Once access is granted to the malicious application, it is capable of collecting and sending the private data to a private server for use in blackmail later on.
These malicious apps are built in the Flutter framework, so part of the code exists within the Flutter code, obfuscating it from traditional Android malware detection. When the application starts, it collects the encrypted configuration within libapp.so, decrypts it using an AES algorithm and then decrypts the “config” about the application at runtime.
Url Mapping:
App ID:
The above configuration defines the data collected from user devices that will be stored in fluentd (Open source data collection library).
Once the application has decrypted, its config is stored in the file “FlutterSharedPreferences” and the app presents the user with the privacy policy:
Once the user accepts the privacy policy, the application requests the following permissions:
Contacts:
By the use of ContactsContact API, the application can collect this information and store it in a hashMap that would be returned when this method finishes. The Java flow responsible for collecting information on the contacts is presented in the following image (Image 4).
SMSs:
The information of the SMS is obtained by accessing android.provider.Telephony.Sms.Inbox. This contains all text-based SMS data in the SMS app inbox. This method also has the sharedPreferences value “smsCount” that indicates the number of SMS to read. Like the previous flow, the application needs the user to give it SMS access permission.
Location:
To obtain the location, the application uses the LocationManager API, and as in the previous information, it obtains that information and returns it in a Map<String, Object>.
Access to files/photos:
During dynamic execution and analysis, the zLabs team observed the exfiltration of information off the victim’s device. This information includes metadata related to various files on the device. A possibility also exists for exfiltration of actual files off the device, but that was not observed dynamically.
The stolen information is uploaded to a private server.
However, the research team observed that in the Java side the application also has the possibility of uploading:
- Complete images: (“pickImages”) → com.sangcomz.fishbun.ui.picker
- Thumbnails (“requestThumbnail”)
- Metadata (“RequestMetada”) → This information was the only one captured in the dynamic execution.
Other permissions requested:
Permissions to make and manage phone calls: The application has another flow that could be triggered, checking if the app contains a SIM in the device. The app creates an action.CALL intent and verifies if the getSimState == 5 (SIM_STATE_READY). Inside Flutter, this method would be triggered by calling checkServiceStatus.
The Communication Between Flutter and Java
The communication between Flutter and Java is done via MethodChannel. The following screenshot provides private information that would be leaked in the Java side:
- device: Information about device (fingerprinting)
- app: Information about the application installed in the device
- contacts: Information about the contacts explained above
- sms: Information about the SMSs
These methods collect the information mentioned above, and when traced backwards, we find that the original method that triggers “Collects_privateInfo” (renamed) is called “getAlldeviceInfo” in the Flutter code.
When we take a look to the traffic generated by the app, we see that the information exchange between the app and the C&C (https[://]app[.]fastrupe[.]com) is encrypted and decrypted with the methods aesEncrypt/Decrypt, using the key=“D4JcGjcw489iiEq1” and IV= “D4JcGjcw489iiEq1” for both methods.
After decrypting and analyzing the communication, we obtained the following information:
- https[://]app.fastrupe[.]com/centrism-hippie-administratress/epiploon/dangler: Google token
- https[://]app.fastrupe[.]com/eventful-levallorphan-computerlike/dimethylmethane-berceuse: Event Log communication
Private information sent to the C&C:
- https[://]app.fastrupe[.]com/carburet-bedrock-hydropsychotherapy/cosmology-deintegro: GPS_info
- https[://]app.fastrupe[.]com/seventyfold-goral/harvey-cryosorption: getOSStoken
- URL of private storage with stolen data: (https[[://]]oss.fastrupe[.]com/{AppId}/{MD5})
- https[://]app.fastrupe.com/explicable-dingbat/juso-proviral-kinesthesis/invasion-docile: Upload JSON with URLs where personal information of the users are uploaded automatically.
During the threat analysis, the zLabs team was able to access the collected information from the malware, as detailed below:
{“model”:{“ossFile”:”https[://]oss[.]fastrupe[.]com/2m86p1di/f9af4bfa96fd41a597aab380f683d877″,”ossType”:”DEVICE”}}… → Information about the device.
{“model”:{“ossFile”:”https[://]oss[.]fastrupe[.]com/2m86p1di/c467769ca99d4d15a849d05a598deb58″,”ossType”:”APP”}}…… → List of apps installed in the devices.
{“model”:{“ossFile”:”https[://]oss[.]fastrupe.com/2m86p1di/28dba14571e9466885fb303c018427b6″,”ossType”:”CONTACT”}}.. → List of contacts.
{“model”:{“ossFile”:”https[://]oss[.]fastrupe.com/2m86p1di/a0f352aaa2194955a67f70db68391d45″,”ossType”:”PHOTO”}}…. → metadata info about the pictures in the devices.
{“model”:{“ossFile”:”https[://]oss[.]fastrupe.com/2m86p1di/d6b3a0bf48dc4254800f0b67c19ccab7″,”ossType”:”SMS”}}…… → Upload the SMSs info only if the SMS list is not empty.
Who are the Victims of the Threat?
While the total number of victims of this variant of the MoneyMonger malware and blackmail scam is unknown due to the use of third-party stores and sideloading for distribution, many of the unauthorized app stores report over 100,000 downloads of the malicious application. And based on the number of downloads of previously active variants, it is safe to assume the malicious actors behind this campaign are successfully socially engineering victims into falling for the predatory loan scams.
The app relies on geo-specific targeting for its predatory loan schemes. This specific variant of the Flutter-obfuscated MoneyMonger targets Indian residents, and other variants of this app have been discovered targeting residents of Peru. However, users who install the application would suffer a private information leak even before requesting the loan.
The MoneyMonger malware campaign highlights a growing trend by malicious actors to use blackmail and threats to scam victims out of money. Similar to what is seen with ransomware, these types of campaigns are increasingly common due to their success in leaving victims feeling helpless in the situation. Quick loan programs are often full of predatory models, such as high-interest rates and payback schemes, but adding blackmail into the equation increases the level of maliciousness. And due to the financial uncertainty many people globally are experiencing, it is no surprise to find this malware type growing in popularity.
Zimperium vs. MoneyMonger Malware
Enterprise customers of Zimperium are protected against this newest MoneyMonger malware variant with our on-device z9 Mobile Threat Defense machine learning engine despite using Flutter as an obfuscating framework. Zimperium’s patented on-device detection provides advanced security and protection against device, network, network, app, and web threats, keeping both personal and enterprise data private and secure.
Zimperium on-device phishing classifiers detect the traffic from the malicious domains with our machine learning-based technology, blocking all traffic to the command and control servers.
To ensure your Android users are protected from MoneyMonger malware, we recommend a quick risk assessment. Any application with the MoneyMonger code will be flagged as a Suspicious App Threat on the device and in the zConsole. Admins can also review which apps are sideloaded onto the device, increasing the mobile attack surface and leaving data and users at risk.
Indicators of Compromise
Applications that contain Flutter native file:
- com.fastrupee.fastrupeepeefa
- com.handyloan.loanhandhwinload
- credit.com.creditcredit.cash.cash.loan.king.loanloan
- com.safe.safe.loan.loanee.advance.cash.buddy.handy.quic.com
- com.moment.time.credit.loan.bean
- com.flashrupee.rupeeflashfrup
- com.pokemoney.pokemonenyfb
- com.goloans.goloansgood
- com.small.credit.cersmallcedi
- com.gocasho.cashgcshoe
- com.flash.rupee.flashrupee.cn
- com.goldcash.cashgolddocahs
- com.buddyyrupee.rupeehahrebu
- com.hello.rupee.hellorupee
Android app bundle (without libapp.so)
- com.loan.guide.credit.buddy.advance.small
- com.mas.prestamos.premas.ccn
- com.hold.loan.loan.credit.loan.cash.go.kakao.bank.andriod
- com.coin.cash.concashds.cc
- com.money.snap.moneysnap.com
- com.swipe.credit.swipecredit.com
- com.rainbow.cash.rainbowcash.com
- com.money.tree.moneytree.com
- smart.cash.loan.small.credit.advance.cash.buddy.com
- com.cash.market.cashmarket.cn
- com.instant.credit.instantcredit.cn
- com.fastcoin.coinffafasecoin
- com.magic.Loan.magicloan.cn
- com.loan.resource.loanresource.cn
- com.cashanytime.timecahshelob
- com.bazar.loan.cash.cash.bazar.credit
- com.bike.loan.bikeloan.com
- com.oneloans.loansonejdsj
- com.dutta.rupee.duttareppeof
Complete list of hashes
Applications that contain Flutter native file:
- 8db66f5794ce37cc1f3f341a2e3455c2dbdf1c80
- 1e8a2c8d649d0640eae53895d7297e1fbc737f5f
- 55ea2ff327015dcadfb54b3c3b000ae51f175f10
- 90aa04cf96df0a487008f374d9c60827ef34fed0
- 4f430eabdf27b750a23054fe25a9d27be1e74dd1
- 9b6fb2078d1bbea53a3194fc014b8f9356f90aea
- 07eb4126c4b18476ff2033c021569b3761c0d477
- 92911fd36f0a2e5e50dcc6d7a0e418cd28c7faa2
- 7dda134218ed4146844e09504bc249b107ad64d4
- 349a91b528fa5ed77a31d8663a41d2f3bc2915f0
- c1ecb0b5aed51b96e6ffc7ba5e2f3adce5abd92f
- 9ca5af1f9f594b4e19a77ace057441bc4cb010a5
- 38a921ac895e1d1d00030778e5c8609658deb037
- 53928ede30034f3528288318cb953d745d2e8ebb
- d58eeed6cbf924c164f4977fb0183995d141226d
- c14ce04526ea81f33f83ed0549d67e28372cd64b
- dfe405c12e34ad923cd1b37cacacaf4e2aa03724
Android app bundle (without libapp.so)
- f266f7e0b813ebbee5e062578a4b59045fa54e2e
- 502a802b6ff3f054f58b116330ee8a3504ad73af
- ee3f9974bfec0d99cb40faa05c32ce88ca9f9eb4
- d58eeed6cbf924c164f4977fb0183995d141226d
- 6f78c8401f2d902556f5894ed57f43ad0c960c38
- b23ba35f30955fa811471a5aa7db35e60c7afb83
- f4f057f71c8aff5fe62659b325d57da4e6f9a6eb
- e19cc4344e30669c25d07fc208b8d153376433b8
- 3fd47e7e068aa6ca519ae07bd48ca8edbdeb7479
- d9e5acfd4131b069775ed906974d64e52c7b7ed0
- c4eee81efd3949b6a567457e4e60eb5ea103d488
- 8d50dbec837c1317ee5f171f835e67ff81f7a6e6
- 74a961fc6c0e8e2b4b99a52968a5b3e43d4ff3af
- 5cfc5a2375b0b77935612a9591aaadc9b7cf8267
- 1f0b55438f5f4377586fb1b2ef64abcd2b896d0c
- f38243081ff4654f064cb1d27e8b23299954c90b
- 1d351597d69f878c028f0dd5300823c6feb3ba40
- 326192ad67422da2f9d496bf15da0f5992db9d6f
Complete list of CC servers
- https[://]app.flashrupee[.]com
- https[://]app.magicloan[.]space
- https[://]app.flashrupee[.]xyz
- https[://]app.loanresources[.]space
- https[://]app.buddyrupee[.]com
- https[://]app.moneysnap[.]space
- https[://]app.goldcash[.]vip
- https[://]app.go-cash[.]net
- https[://]app.safetyloan[.]xyz
- https[://]app.loan-guide[.]xyz
- https[://]app.flashrupee[.]space
- https[://]app.masprestamos[.]xyz
- https[://]app.handyloan[.]xyz
- https[://]app.swipecredit[.]space
- https[://]app.instantcredit[.]space
- https[://]app.credit-king[.]xyz
- https[://]app.holdloan[.]xyz
- https[://]app.rainbowcash[.]space
- https[://]app.smallcredit[.]xyz
- https[://]app.duttarupee[.]com
- https[://]app.hellorupe[.]com
- https[://]app.coin-cash[.]xyz
- https[://]app.cash-bazar[.]com
- https[://]app.timecredit[.]xyz
- https[://]app.moneytreess[.]space
- https[://]app.smart-cash[.]xyz
- https[://]app.cashmarket[.]space
