Zimperium detects predatory loan malware hiding in mobile apps developed with Flutter

Zimperium, the only mobile security platform purpose-built for enterprise environments, has revealed details of a newly discovered Android malware campaign hidden in money lending apps developed with Flutter.

Flutter is a software development kit used to create applications that work across multiple platforms, including Android and iOS.

The Zimperium zLabs team discovered this threat, dubbed MoneyMonger, which uses personal information stolen from a device to blackmail victims into paying more than the terms that their predatory loans required. This code is part of a larger predatory loan malware campaign previously discovered by K7 Security Labs.

MoneyMonger takes advantage of Flutter’s framework to obfuscate malicious features and complicate the detection of malicious activity by static analysis. Due to the nature of Flutter, the malicious code and activity now hide behind a framework outside the static analysis capabilities of legacy mobile security products.

The MoneyMonger malware is distributed solely through third-party app stores or is sideloaded onto the victim’s device through phishing messages, compromised websites, social media campaigns or other tactics. It has not been found in any Android app stores.

Active since May 2022, this novel malware uses multiple layers of social engineering to take advantage of its victims, beginning with a predatory loan scheme promising quick money. In the process of setting up the app, the victim is told that permissions are needed on the mobile endpoint to ensure they are in good standing to receive the loan. Once the malicious actors gain access to steal private information from the endpoint, MoneyMonger uploads victims’ critical and personal data to its server, including installed apps, GPS locations, SMS, contact information, device information, metadata of images, and more.

This stolen information is used to blackmail and threaten victims into paying excessively high-interest rates. If the victim fails to pay on time, and in some cases even after the loan is repaid, the malicious actors threaten to reveal information, call people from the contact list, and even send photos from the device.

MoneyMonger is a risk to individuals and enterprises because it collects a wide range of data from the victim’s device, including potentially sensitive enterprise-related material and proprietary information.

The malicious actors behind MoneyMonger are constantly developing and updating the app to avoid detections by adding XOR encryption in the string on the Java side, while also adding more information in the Flutter-dart side.

The total number of victims is unknown due to the use of third-party stores and sideloading for distribution, however many of the unauthorized app stores report over 100,000 downloads of the malicious application.

“The extremely novel MoneyMonger malware campaign highlights a growing trend by malicious actors to use blackmail and threats to scam victims out of money,” said Richard Melick, Director of Mobile Threat Intelligence at Zimperium.

“Quick loan programs are often full of predatory models, such as high-interest rates and payback schemes, but adding blackmail into the equation increases the level of maliciousness. Any device connected to enterprise data poses a risk to the enterprise if an employee falls victim to the MoneyMonger predatory loan scam on that device.”

For more information on MoneyMonger, visit: https://www.zimperium.com/blog/moneymonger-predatory-loan-scam-campaigns-move-to-flutter