FluHorse¶
FluHorse is a Flutter-based Android credential stealer targeting East Asian users, first documented by Check Point Research in May 2023. What distinguishes FluHorse from other Android malware is its use of the Flutter framework (Dart language) for implementing malicious functionality. Because Flutter compiles Dart code into a native shared library (libapp.so) that runs inside a custom virtual machine, traditional Android reverse engineering tools cannot decompile or analyze the business logic through standard Dalvik/Java approaches. FluHorse impersonates popular toll-collection and banking apps in Taiwan and Vietnam, harvesting credentials, credit card data, and intercepted 2FA codes via SMS. Activity traces back to at least May 2022, with campaigns continuing through ongoing deployment of new infrastructure and apps each month.
Overview¶
| Attribute | Details |
|---|---|
| First Seen | May 2022 (earliest activity), May 2023 (public disclosure) |
| Status | Active |
| Type | Credential stealer, SMS interceptor |
| Attribution | Unknown |
| Discovered By | Check Point Research |
| Target Region | East Asia (Taiwan, Vietnam) |
| Distribution | Phishing emails with fake APK download links |
| Notable Feature | Built with Flutter/Dart, business logic compiled into libapp.so |
Distribution¶
| Vector | Details |
|---|---|
| Phishing emails | Targeted emails sent to high-profile entities including government officials and employees of large industrial companies |
| Fake APK downloads | Email links direct victims to phishing sites hosting malicious APKs |
| App impersonation | Mimics popular legitimate apps with over 1 million installs each |
FluHorse campaigns begin with targeted phishing emails. The emails are crafted to appear urgent and credible, sometimes referencing payment issues or account problems. Recipients are directed to a phishing site via a link in the email, where they download a fake app APK. The social engineering relies on impersonating apps that the target audience already trusts and uses frequently.
Impersonated Applications¶
| App | Region | Legitimate Installs |
|---|---|---|
| ETC (Electronic Toll Collection) | Taiwan | 1,000,000+ |
| VPBank Neo | Vietnam | 1,000,000+ |
| Unnamed major transportation app | Taiwan | 1,000,000+ |
The Taiwan targeting leverages the Far Eastern Electronic Toll Collection (FETC) system, which processes approximately 16 million transactions per day across more than 6 million users, making it a high-value impersonation target.
Capabilities¶
- Credential theft: fake login screens prompt victims to enter account credentials, which are exfiltrated to the C2 server
- Credit card harvesting: prompts victims to enter credit card details under the guise of payment processing
- SMS interception: intercepts all incoming SMS messages, including 2FA codes, using the Telephony package
- 2FA bypass: captured SMS authentication codes enable attackers to bypass two-factor authentication on compromised accounts
- Delayed execution: after credential submission, the app displays a "system is busy" message while silently processing stolen data, buying time before the victim suspects anything
Technical Details¶
Flutter Architecture¶
FluHorse's defining technical characteristic is its use of the Flutter framework. The malware is written in Dart and compiled using Flutter's ahead-of-time (AOT) compilation:
| Component | Role |
|---|---|
libflutter.so |
Flutter engine (legitimate framework library) |
libapp.so |
Compiled Dart payload containing all malicious logic |
| Kotlin wrapper | Minimal Android shell, handles app launch and Flutter engine initialization |
The Dart code inside libapp.so runs within Flutter's custom virtual machine rather than the Dalvik VM. Standard Android reverse engineering tools like jadx or apktool cannot decompile this payload. Analyzing libapp.so requires specialized approaches for Dart AOT snapshots, which involve optimized and poorly documented formats with limited tooling support.
Fortinet's FortiGuard Labs published a detailed reverse engineering analysis demonstrating techniques for statically reversing the Dart AOT snapshot within libapp.so. This work, later presented at Virus Bulletin 2024, advanced the tooling available for analyzing Flutter-based malware.
Malicious Flow¶
- Victim installs the fake app from the phishing site
- App displays a convincing replica of the legitimate app's login interface
- Victim enters credentials (account details or credit card data)
- Data is exfiltrated to the C2 server via HTTP POST
- App displays a "system is busy" holding screen for several minutes
- Meanwhile, the Dart payload begins intercepting all incoming SMS messages
- Intercepted SMS messages (including 2FA codes) are forwarded to the C2 server
- After the delay period, the app tells the user to try again later
C2 Communication¶
FluHorse uses HTTP-based C2 communication. The Dart payload sends stolen data via HTTP POST requests to attacker-controlled servers. Fortinet's analysis identified the path /addcontent3 as one of the endpoints used for exfiltrating intercepted SMS messages. The simplicity of the protocol reflects the malware's overall design philosophy: rely on the Flutter framework for obfuscation rather than implementing custom evasion in the network layer.
Anti-Analysis¶
| Technique | Details |
|---|---|
| Flutter framework | Business logic in libapp.so defeats standard Android decompilation |
| Dart AOT compilation | Custom VM with optimized, undocumented snapshot format |
| Minimal native code | Almost no analyzable Kotlin/Java logic, everything is in Dart |
| Packing (later samples) | June 2023 samples introduced packing, indicating operational maturity |
The initial May 2023 campaign samples had minimal obfuscation and no packing. By June 2023, Check Point observed packed samples appearing, showing the operators were actively hardening their toolchain.
Versions and Evolution¶
| Period | Development |
|---|---|
| May 2022 | Earliest observed FluHorse activity |
| May 2023 | Check Point Research publishes initial disclosure, samples unpacked |
| June 2023 | Packed samples observed, indicating increased operational maturity |
| 2023-present | Ongoing campaigns with new infrastructure and apps deployed monthly |
Why Flutter Matters for Offense¶
For detailed Flutter reverse engineering methodology, see the Flutter framework page.
Flutter's adoption by malware authors represents a practical shift in Android threat development. The framework provides several advantages:
- Analysis barrier: the Dart AOT snapshot in
libapp.socannot be processed by jadx, apktool, or other standard Android RE tools. Analysts must use specialized Dart snapshot parsers, which are immature and frequently break across Flutter versions. - Cross-platform potential: Flutter natively supports Android, iOS, web, and desktop from a single codebase, though FluHorse has only been observed on Android.
- Rapid UI development: Flutter's widget system makes it straightforward to create convincing replicas of legitimate app interfaces, improving phishing effectiveness.
- Low malicious footprint in DEX: since the malicious logic lives in native code (
libapp.so), the Android manifest and DEX classes contain almost nothing suspicious, potentially evading signature-based detection focused on Dalvik bytecode.
References¶
- Eastern Asian Android Assault - FluHorse - Check Point Research
- FluHorse - Check Point Blog
- Fortinet Reverses Flutter-based Android Malware "Fluhorse"
- Virus Bulletin 2024 - Android Flutter Malware
- New Android Malware FluHorse Targeting East Asian Markets - The Hacker News
- Fluhorse: Flutter-Based Android Malware Targets Credit Cards and 2FA Codes - The Hacker News
- New Android FluHorse malware steals your passwords, 2FA codes - BleepingComputer
- FluHorse - Malpedia