This new Android malware is stealing passwords and 2FA codes — what you need to know

What makes FluHorse particularly dangerous is the malware’s ability to steal passwords and 2FA codes from infected devices. Likewise, most of the apps impersonated in this campaign have over one million installs according to Check Point’s report on the matter.

Using unpaid invoices as a lure

The FluHorse malware is currently being spread through malicious apps impersonating the Taiwanese toll app ETC and the Vietnamese banking app VPBank Neo. The legitimate versions of both of these apps each have over a million installations.

The attacks used in this campaign begin with malicious emails sent out to high-profile targets. The emails themselves use unpaid invoices as a lure and contain links to phishing sites where recipients are encouraged to download the APK file for the ETC, VPBank Neo or an unnamed transportation app used by 100,000 people.

Upon installation, all three malicious apps request SMS access on an infected Android smartphone in order to intercept incoming 2FA codes which are then used to hijack a victim’s accounts.

To appear more legitimate, all of these fake apps copy the user interfaces of their legitimate counterparts. However, after stealing a victim’s account credentials and credit card details, the apps show a message which says that “system is busy” for 10 minutes. This gives the hackers behind this campaign more time to steal data from victims while making the process appear realistic.

Once the process is complete, the hackers have everything they need to commit fraud or even identity theft. While the FluHorse malware has yet to be used on targets in English-speaking countries, campaigns similar to this one could be launched by cybercriminals looking to make a quick buck.

How to stay safe from phishing and malicious Android apps

As this campaign is a bit more complicated than previous ones we’ve covered in the past, you need to know how to spot a phishing campaign as well as how to stay safe from malicious apps to avoid falling victim to it.

For starters, the emails used in this campaign are classic examples of phishing attempts as they try to instill a sense of urgency in targeted users. If someone who receives an email like this is a high-profile target worried that they might owe someone money, they’re more likely to either respond to the email or click on the malicious link found inside it. This is why you always want to look out for emails from unknown senders — especially those that claim you have an unpaid invoice.

From here, you need to be extremely cautious when an email or a phishing site tries to convince you to download an APK file to sideload an Android app. Any legitimate business will host its apps on the Google Play Store instead of having you download and manually install them. Even if you did install one of these malicious apps, the fact that they ask for permission to read and send text messages sent to your phone is another red flag. Regardless of where you install an app from, you need to be careful when granting permissions as in doing so, you’re basically giving a great deal of control over your smartphone to an app.

To avoid falling victim to malicious apps and having your devices infected with malware, you want to make sure that Google Play Protect is enabled on your smartphone. This free app which comes pre-loaded on your phone scans both your existing apps and any new ones you download for malware. For extra protection though, you can also install one of the best Android antivirus apps.

As FluHorse is a new Android malware, we’ll likely see it used in other campaigns going forward which is why every Android user needs to be careful, both when checking your inbox and when installing new apps.

More from Tom's Guide

• I’m a security editor and this is how I create strong passwords
• 7 easy ways to improve your online security for free
• Protect all of your devices with one of the best internet security suites