An Android malware campaign called MoneyMonger was found hidden in money lending apps developed with Flutter. It is emblematic of a rising tide of extortion cybercriminals targeting consumers – and their employers will feel the repercussions too.
According to research by Zimperium’s zLabs team, the malware uses multiple layers of social engineering to exploit its victims, allowing malicious actors to steal private information from personal devices and then use that information to blackmail individuals.
Distributed through third-party app stores and loaded onto victims’ Android devices, MoneyMonger malware was designed from the ground up to be malicious and target those in need of quick cash, according to Zimperium researchers. It uses multiple layers of social engineering to prey on its victims, starting with a predatory lending scheme and promising quick bucks for those who follow a few simple instructions.
When setting up the app, the victim is told that permissions are required on the mobile endpoint to ensure they are in good standing to receive credit. These permissions are then used to collect and exfiltrate data including from contact list, GPS location data, installed apps list, sound recordings, call logs, SMS lists, and memory and file lists. It also gets camera access.
This stolen information is used to blackmail and threaten victims into paying excessive interest rates. If the victim doesn’t pay on time, and in some cases even after repaying the loan, the malicious actors threaten to disclose information, call people from the contact list, and even send photos from the device.
One of the new and interesting things about this malware is how it uses the Flutter software development kit to hide malicious code.
While the open-source user interface (UI) software kit Flutter was a game changer for application developers, malicious actors have also taken advantage of its capabilities and framework, delivering apps with critical security and privacy vulnerabilities to unsuspecting victims.
In this case, MoneyMonger uses Flutter’s framework to obfuscate malicious functions and make it harder to detect malicious activity through static analysis, Zimperium researchers explained in a Dec. 15 blog post.
The risk for companies arises from a large number of collected data
Richard Melick, Director of Mobile Threat Intelligence at Zimperium, tells Dark Reading that consumers using money lending apps are most at risk, but due to the nature of this threat and the way attackers steal sensitive information for blackmail, they also put their employers or other organizations at risk They also work with vulnerable people.
“It’s very easy for the attackers behind MoneyMonger to steal information from company emails, downloaded files, personal emails, phone numbers or other company apps on the phone and use it to blackmail their victims,” he says.
According to Melick, MoneyMonger poses a risk to individuals and companies because it collects a wide range of data from the victim’s device, including potentially sensitive company-related material and proprietary information.
“Any device connected to company data poses a risk to the company if an employee on that device falls victim to MoneyMonger’s bootleg scam,” he says. “Victims of this predatory loan could be forced to steal to pay for the extortion or fail to report the theft of critical company data by the malicious actors behind the campaign.”
Melick says personal mobile devices represent a significant unaddressed attack surface for businesses. He notes that mobile malware is becoming more sophisticated, and without the threat telemetry and critical defenses to defend against this growing subset of malicious activity, organizations and their employees are at risk.
“Whether it’s proprietary or part of a BYOD strategy, the need for security is critical to staying ahead of MoneyMonger and other advanced threats,” he says. “Education is only part of the key here, and technology can fill in the gaps, minimizing risk and exposure to MoneyMonger and other threats.”
Also remember not to download apps from unofficial app stores; Official stores like Google Play have protections in place for users, a Google spokesman told Dark Reading.
“None of the malicious apps identified in the report are on Google Play,” he said. “Google Play Protect uses Google Play Services to scan Android devices for potentially malicious apps from other sources. Google Play Protect warns users attempting to install or launch apps identified as malicious.”
Resurgence of banking Trojans
The MoneyMonger malware follows the resurgence of the SOVA Android banking Trojan, which now has updated features and an additional version is in development that contains a ransomware module.
Other banking Trojans have re-emerged with updated features to bypass security, including Emotet, which re-emerged in a more advanced form earlier this summer after being taken down by a joint international task force in January 2021.
Nokia’s 2021 Threat Intelligence Report warns that banking malware threats are on the rise as cybercriminals target the rising popularity of mobile banking on smartphones and plot to steal personal banking and credit card information to steal.
Blackmail threats are expected to continue into 2023
Melick points out that blackmail is nothing new for malicious actors, as has been seen with ransomware attacks and data breaches on a global scale.
“However, using extortion on such a personal level, targeting individual victims, is a somewhat novel approach that requires manpower and time,” he says. “But it’s paying off and based on the number of reviews and complaints about MoneyMonger and other predatory credit scams similar to this one, it will only continue.”
He predicts that market and financial conditions will leave some people desperate for ways to pay bills or get extra cash.
“Just as we saw in the last recession how predatory credit scams emerged,” he says, “it’s almost guaranteed that we’ll continue this model of theft and extortion through 2023.”
