MoneyMonger “takes advantage of Flutter`s framework to obfuscate malicious features and complicate the detection of malicious activity by static analysis,” Zimperium researchers Fernando Sanchez, Alex Calleja , Matteo Favaro, and Gianluca Braga said in a report shared with the Hacker news. “Due to the nature of Flutter, the malicious code and activity now hide behind a framework outside the static analysis capabilities of legacy mobile security products”. The campaign, believed to be active since May 2022, is part of a broader effort previously disclosed by Indian cybersecurity firm K7 Security Labs.
A previously undocumented Android malware campaign has been observed leveraging money-lending apps to blackmail victims into paying up with personal information stolen from their devices. Mobile security company Zimperium dubbed the activity MoneyMonger, pointing out the use of the cross-platform Flutter framework to develop the apps.
None of the 33 apps used in the deceptive scheme have been distributed through the Google Play Store. The money lending applications, instead, are available through unofficial app stores or sideloaded to the phones via smishing, compromised websites, rogue ads, or social media campaigns. Once installed, the malware poses a risk as it’s designed to prompt the users to grant it intrusive permissions under the pretext of guaranteeing a loan, and harvesting a wide range of private information.
The scale of the campaign is unclear owing to the use of sideloading and third-party app stores, but the rogue apps are estimated to have racked up over 100,000 downloads through the distribution vector. Zimperium Director of Mobile Threat Intelligence Richard Melick said in a statement: “Quick loan programs are riddled with predatory models such as high-interest rates and repayment models, but adding blackmail to the equation adds to the discomfort”. The findings come two weeks after Lookout discovered nearly 300 mobile loan applications on Google Play and Apple’s App Store.
The collected data – which includes GPS locations, SMSes, contacts, call logs, files, photos, and audio recordings – is then used as a pressure tactic to force victims into paying excessively high-interest rates for the loans, sometimes even in cases after the loan is repaid. To make matters worse, the threat actors subject the borrowers to harassment by threatening to reveal their information, call people from the contact list, and send abusive messages and morphed photos from the infected devices.
Not only do these apps extract huge amounts of user data, they also feature hidden fees, high-interest rates, and payment terms used to extort victims into paying illicit loans. Late last month, Lookout “exploited a victim’s desire to borrow money quickly, tying the borrower into predatory loan agreements and demanding access to sensitive information such as contacts and text his messages.