Researchers at mobile security company Zimperium Inc.’s zLabs today revealed details of a newly discovered Android malware campaign hidden in money lending apps developed with the Flutter software development kit.

Flutter is a  multiplatform user interface app development framework from Google LLC that’s used to create applications that work across multiple platforms, including Android and iOS. The malware campaign, dubbed MoneyMonger, uses personal information stolen from a device to blackmail victims into paying more than the terms that their predatory loans required.

MoneyMonger is said to take advantage of Flutter’s framework to obfuscate malicious features and complicate the detection of malicious activity by static analysis. The malicious code and activity hide behind the Flutter framework, missed by the analysis capabilities of legacy mobile security products, the researchers say.

It’s distributed in apps available on third-party app stores and can also be sideloaded onto a victim’s device through phishing messages, compromised websites, social media campaigns and other tactics.

Active since May 2022, this malware uses multiple layers of social engineering to take advantage of its victims, beginning with a predatory loan scheme promising quick money. As victims install an infected app, they’re told that permissions are needed on the mobile endpoint to ensure they’re in good standing to receive the loan. Once the malicious actors gain access to steal private information from the endpoint, MoneyMonger uploads victims’ critical and personal data to its server, including installed apps, GPS locations, SMS, contact information, device information, metadata of images and more.

The information stolen by MoneyMonger is used to blackmail and threaten victims into paying excessively high interest rates. If the victim fails to pay on time, and in some cases even after the loan is repaid, the malicious actors threaten to reveal information, call people from the contact list and even send photos from the device.

The loan scam angle aside, the researchers note that MoneyMonger is a risk to individuals and enterprises because of the wide range of data collected from victims’ devices, including potentially sensitive enterprise-related material and proprietary information.

The actors behind MoneyMonger are constantly developing and updating the app to avoid detection by adding XOR encryption in the string on the Java side, while also adding more information on the Flutter side. The number of victims is unknown given the use of third-party stores and sideloading for distribution, but many of the third-party app stores report more than 100,000 downloads of infected malicious applications.

“The extremely novel MoneyMonger malware campaign highlights a growing trend by malicious actors to use blackmail and threats to scam victims out of money,” Richard Melick, director of mobile threat intelligence at Zimperium, said in a statement. “Quick loan programs are often full of predatory models, such as high interest rates and payback schemes, but adding blackmail into the equation increases the level of maliciousness.”

Image: Pixabay