North Korean hackers target macOS users with Flutter malware
- Experts have found six malicious apps built for macOS
- The Apple IDs used to sign the apps have been revoked
- The malware was probably just an experiment
North Korean state-sponsored threat actors have been observed targeting macOS users with fake games and crypto tracking apps built with Flutter.
Cybersecurity researchers at Jamf recently found several apps on VirusTotal that appeared completely benign, yet were connected to servers in North Korea, which was considered “phase one” malware functionality.
There are two particularly interesting details about this malware. First, it was created with Flutter, an open source user interface (UI) software development kit created by Google. It allows developers to build natively compiled applications for mobile (iOS and Android), web, and desktop (Windows, macOS, Linux) from a single codebase.
Six malicious apps
One of the apps was called ‘New Updates in Crypto Exchange (2024-08-28).app’ and others were labeled in a similar way. But when they opened, they were running open source minesweeper games and the like.
Flutter, which uses the Dart programming language, ensures that the malicious code is obscured by design, the researchers said. Therefore, the malware was not so easy to recognize (and therefore appeared as benign in VirusTotal).
The second interesting detail is that the apps are signed and notarized by a legitimate Apple Developer ID, meaning they passed Apple’s security checks at some point.
Jamf found a total of six apps, five of which were signed with a working Apple Developer ID. This has now been withdrawn.
Still, the researchers believe that the apps were never intended to be part of an actual hacking campaign and merely served as an experiment.
“The malware discovered in this blog shows strong signs that it is likely testing for greater weaponization,” she added. “This could perhaps be an attempt to see if a properly signed app with malicious code hidden in a dylib could be approved by Apple’s notarized server, and also slip under the radar of antivirus vendors.”
Via BleepingComputer
