Android Flutter malware - Axelle Apvrille (Fortinet)

Presented at the VB2024 conference in Dublin, 2 - 4 October 2024. ↓ Slides: https://www.virusbulletin.com/uploads/pdf/conference/vb2024/slides/Slides-Android-Flutter-malware.pdf ↓ Paper: https://www.virusbulletin.com/uploads/pdf/conference/vb2024/papers/Android-Flutter-malware.pdf → Details: https://www.virusbulletin.com/conference/vb2024/abstracts/android-flutter-malware/ ✪ PRESENTED BY ✪ • Axelle Apvrille (Fortinet) ✪ ABSTRACT ✪ Flutter is an open-source UI software development kit with the ability to create applications for Android, iOS, and non-mobile platforms using a single codebase. The performance aspect is handled by using ahead-of-time (AOT) native compilation in release builds. These attractive features have not gone unnoticed by malware authors. In late 2022, and still active in 2024, the Android MoneyMonger family appeared. The family, also known as SpyLoan because it tempts victims with loan scams, utilizes Flutter primarily for its UI capabilities. The malicious payload (stealing device information) is implemented on the "standard" Java side and called on request from the Flutter side. In mid-2023, the Android Fluhorse family pushed the concept further and implemented the malicious payload on the Flutter side. Given the limited support for Flutter by disassemblers and other reverse engineering tools, this makes the tasks for malware analysts more difficult, and we probably need to get prepared for more. Note that disassembling Flutter applications is special (and difficult) for many low-level reasons: the assembly code dedicates some CPU registers to specific concepts, the calling convention is not standard, the representation of integers is unconventional too, and finally the parsing of AOT snapshots is complex, undocumented and uses custom formats (e.g. custom LEB). This presentation aims to aid malware analysts in reverse engineering Flutter malware. We cover topics such as identifying the Flutter entrypoint, detecting communication between Flutter and Java, reading the Object Pool (with Blutter or JEB), finding Flutter function names even when the AOT snapshot is stripped, and understanding the special representation of small integers. We illustrate the presentation with examples taken from recent unwanted Flutter applications of 2024 (e.g. porn agents, Mobidash...).