The FluHorse malware steals 2FA codes from Android phones.

According to PhoneArena , the FluHorse malware is spread via email and will steal credit card data, passwords, and even two-factor authentication (2FA) codes. Attacks have been occurring in East Asia since 2022, often starting with an email sent to potential victims requesting immediate payment to fix an account issue.

The email contained a link that directed victims to fake versions of legitimate apps. These fake apps included ETC – a toll-collecting app in Taiwan – and VPBank Neo – a banking app in Vietnam. The official versions of each app had over 1 million downloads from the Google Play Store. Check Point also discovered a fake version of a real transportation app with 100,000 downloads, but the company did not mention its specific name.

To hijack any 2FA codes sent, three apps will request SMS access. The fake apps mimic the user interface of the official apps but do little more than collect user information, including credit card data. Then, to make it appear as though a real processing is underway, the screen displays a message saying "system busy" for 10 minutes. But in reality, the 2FA code is being stolen along with personal information.

Check Point states that FluHorse is an ongoing threat to Android users, so it's best for users not to provide personal information such as credit card numbers and social security numbers online. Because this organized attack has been detected in several regions around the world , people need to be vigilant in protecting their personal data.