Zimperium has discovered a novel predatory loan malware hiding in mobile apps developed with Flutter.
According to research from the Zimperium zLabs team, the threat, dubbed MoneyMonger, uses personal information stolen from a device to blackmail victims into paying more than the terms that their predatory loans required.
The team says this code is part of a more extensive predatory loan malware campaign previously discovered by K7 Security Labs.
MoneyMonger is said to take advantage of Flutter’s framework to obfuscate malicious features and complicate the detection of malicious activity by static analysis.
The research team says that due to the nature of Flutter, the malicious code and activity hide behind a framework outside the static analysis capabilities of legacy mobile security products.
It is perceived as a risk to individuals and enterprises because it collects a wide range of data from the victim’s device, including potentially sensitive enterprise-related material and proprietary information.
Active since May 2022, the threat utilises multiple layers of social engineering to take advantage of its victims, beginning with a predatory loan scheme promising quick money. In the process of setting up the app, the victim is told that permissions are needed on the mobile endpoint to ensure they are in good standing to receive the loan.
The MoneyMonger malware is distributed solely through third-party app stores or is sideloaded onto the victim’s device through phishing messages, compromised websites, social media campaigns or other tactics. It has not been found in any Android app stores.
Once the malicious actors gain access to steal private information from the endpoint, MoneyMonger uploads victims’ critical and personal data to its server, including installed apps, GPS locations, SMS, contact information, device information, metadata of images, and more.
This stolen information is used to blackmail and threaten victims into paying excessively high-interest rates. If the victim fails to pay on time, and in some cases even after the loan is repaid, the malicious actors threaten to reveal information, call people from the contact list, and even send photos from the device.
Malicious actors behind MoneyMonger are constantly developing and updating the app to avoid detections by adding XOR encryption in the string on the Java side, while also adding more information on the Flutter-dart side.
The total number of victims is unknown due to the use of third-party stores and sideloading for distribution, however many of the unauthorised app stores report over 100,000 downloads of the malicious application.
“The extremely novel MoneyMonger malware campaign highlights a growing trend by malicious actors to use blackmail and threats to scam victims out of money,” says Richard Melick, Director of Mobile Threat Intelligence at Zimperium.
“Quick loan programs are often full of predatory models, such as high-interest rates and payback schemes, but adding blackmail into the equation increases the level of maliciousness. Any device connected to enterprise data poses a risk to the enterprise if an employee falls victim to the MoneyMonger predatory loan scam on that device.”