Blackmailing MoneyMonger Malware Hides in Flutter Mobile Apps

Money-lending apps built using the Flutter software development kit hide a predatory spyware threat and highlight a growing trend of using personal data for blackmail.

5 Min Read
young woman holding forehead looking at mobile phone
Source: Alexsandr Davydov via Alamy Stock Photo

An Android malware campaign dubbed MoneyMonger has been found hidden in money-lending apps developed using Flutter. It's emblematic of a rising tide of blackmailing cybercriminals targeting consumers — and their employers stand to feel the effects, too.

According to research from the Zimperium zLabs team, the malware uses multiple layers of social engineering to take advantage of its victims and allows malicious actors to steal private information from personal devices, then use that information to blackmail individuals.

The MoneyMonger malware, distributed through third-party app stores and sideloaded onto victims' Android devices, was built from the ground up to be malicious, targeting those in need of quick cash, according to Zimperium researchers. It uses multiple layers of social engineering to take advantage of its victims, beginning with a predatory loan scheme and promising quick money to those who follow a few simple instructions.

In the process of setting up the app, the victim is told that permissions are needed on the mobile endpoint to ensure they are in good standing to receive a loan. These permissions are then used to collect and exfiltrate data, including from the contact list, GPS location data, a list of installed apps, sound recordings, call logs, SMS lists, and storage and file lists. It also gains camera access.

This stolen information is used to blackmail and threaten victims into paying excessively high-interest rates. If the victim fails to pay on time, and in some cases even after the loan is repaid, the malicious actors threaten to reveal information, call people from the contact list, and even send photos from the device.

One of the new and interesting things about this malware is how it uses the Flutter software development kit to hide malicious code.

While the open source user interface (UI) software kit Flutter has been a game changer for application developers, malicious actors have also taken advantage of its capabilities and framework, deploying apps with critical security and privacy risks to unsuspecting victims.

In this case, MoneyMonger takes advantage of Flutter’s framework to obfuscate malicious features and complicate the detection of malicious activity by static analysis, Zimperium researchers explained in a Dec. 15 blog post.

Risk to Enterprises Stems from Wide Range of Data Collected

Richard Melick, director of mobile threat intelligence at Zimperium, tells Dark Reading that consumers using money lending apps are most at risk, but by the nature of this threat and how attackers steal sensitive information for blackmail, they are also putting their employers or any organization they work with at risk, too.

"It’s very easy for the attackers behind MoneyMonger to steal information from corporate email, downloaded files, personal emails, phone numbers, or other enterprise apps on the phone, using it to extort their victims," he says.

Melick says MoneyMonger is a risk to individuals and enterprises because it collects a wide range of data from the victim’s device, including potentially sensitive enterprise-related material and proprietary information.

"Any device connected to enterprise data poses a risk to the enterprise if an employee falls victim to the MoneyMonger predatory loan scam on that device," he says. "Victims of this predatory loan might be compelled to steal to pay the blackmail or not report the theft of critical enterprise data by the malicious actors behind the campaign."

Melick says that personal mobile devices represent a significant, unaddressed attack surface for enterprises. He points out that malware against mobile only continues to get more advanced, and without the threat telemetry and critical defense in place to stand up against this growing subset of malicious activity, enterprises and their employees are left at risk.

"No matter if they are corporate-owned or part of a BYOD strategy, the need for security is critical to stay ahead of MoneyMonger and other advanced threats," he says. "Education is only part of the key here and technology can fill in the gaps, minimizing the risk and attack surface presented by MoneyMonger and other threats."

It's also important to remember to avoid downloading apps from unofficial app stores; official stores, like Google Play, do have protections for users, a Google spokesperson emphasized to Dark Reading.

"None of the identified malicious apps in the report are on Google Play," he said. "Google Play Protect checks Android devices with Google Play Services for potentially harmful apps from other sources. Google Play Protect will warn users that attempt to install or launch apps that have been identified to be malicious."

Resurgence of Banking Trojans

The MoneyMonger malware follows the resurgence of the Android banking Trojan SOVA, which now sports updated capabilities and an additional version in development that contains a ransomware module.

Other banking Trojans have resurfaced with updated features to help skate past security, including Emotet, which re-emerged earlier this summer in a more advanced form after having been taken down by a joint international task force in January 2021.

Nokia's 2021 "Threat Intelligence Report" warned that banking malware threats are sharply increasing, as cybercriminals target the rising popularity of mobile banking on smartphones, with plots aimed at stealing personal banking credentials and credit card information.

Blackmailing Threats Expected to Continue in 2023

Melick points out blackmail is not new to malicious actors, as has been seen in ransomware attacks and data breaches on a global scale.

"The use of blackmail on such a personal level, targeting individual victims, though, is a bit of a novel approach that takes an investment of personnel and time," he says. "But it is paying off and based on the number of reviews and complaints around MoneyMonger and other predatory loan scams similar to this, it is only going to continue."

He predicts market and financial conditions will leave some people desperate for ways to pay bills or get extra cash.

"Just as we saw predatory loan scams rise up in the last recession," he says, "it is almost guaranteed we will see this model of theft and blackmail continue into 2023."

About the Author(s)

Nathan Eddy, Contributing Writer

Nathan Eddy is a freelance journalist and award-winning documentary filmmaker specializing in IT security, autonomous vehicle technology, customer experience technology, and architecture and urban planning. A graduate of Northwestern University’s Medill School of Journalism, Nathan currently lives in Berlin, Germany.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights