MoneyMonger: Predatory Loan Scam Campaigns Move to Flutter

Share this blog

Executive Summary

Flutter, the open-source user interface (UI) software kit for cross-platform mobile applications, has helped drive new mobile applications onto the market. This modern mobile application framework removes many barriers to creating multi-platform applications, and developers can create native mobile apps with only one codebase. While Flutter has been a game changer for application developers, malicious actors have also taken advantage of its capabilities and framework, deploying apps with critical security and privacy risks to unsuspecting victims.

During a routine analysis of applications, the Zimperium zLabs team recently discovered and analyzed a Flutter application with malicious code. This code, part of a larger predatory loan malware campaign previously discovered by K7 Security Labs, takes advantage of Flutter’s framework to obfuscate malicious features and complicate the detection of malicious activity by static analysis. Due to the nature of Flutter, the malicious code and activity now hide behind a framework outside the static analysis capabilities of legacy mobile security products.

Image 1: Intercept Flutter-Java communication
Image 1: Intercept Flutter-Java communication

The Flutter-obfuscated malware campaign, which we have named MoneyMonger, has not been detected in official Android stores. This novel malware campaign is solely distributed through third-party app stores and sideloaded onto the victim’s Android device. The new variant of this predatory loan campaign has been active since May 2022. Most commonly, these types of campaigns take advantage of social engineering through phishing messages, compromised websites, rogue WiFi networks, and social media to distribute the download links.

Image 2: Screenshot of one of the predatory loan apps on a third-party app store.
Image 2: Screenshot of one of the predatory loan apps on a third-party app store.

The MoneyMonger malware uses multiple layers of social engineering to take advantage of its victims, beginning with a predatory loan scheme, promising quick money to those who follow a few simple instructions. In the process of setting up the app, the victim is told that permissions are needed on the mobile endpoint to ensure they are in good standing to receive the loan. This gives the victim confidence to enable the very revealing local permissions on the devices, enabling the malicious actors to steal private information from the endpoint.

Image 3: Screenshots of reviews of the malicious app reporting predatory behavior
Image 3: Screenshots of reviews of the malicious app reporting predatory behavior
Image 4: Screenshots of reviews of the malicious app reporting predatory behavior
Image 4: Screenshots of reviews of the malicious app reporting predatory behavior
Image 5: Screenshots of reviews of the malicious app reporting predatory behavior
Image 5: Screenshots of reviews of the malicious app reporting predatory behavior

Finally, if the victim fails to pay on time, and in some cases even after the loan is repaid, the malicious actors behind the predatory campaign will threaten to reveal information, call people from the contact list, and even send photos stolen from the device. This level of social engineering puts victims under increased pressure to comply, often paying more than originally agreed upon to make it stop.

Flutter’s use in the developer world has changed the face of mobile application development, and it is no surprise that malicious actors followed in their footsteps to quickly develop and deploy new variants of malware, just as they did with MoneyMonger.

What Threat Does MoneyMonger Pose?

MoneyMonger collects critical and personal data on unsuspecting victims, uploading the stolen information to its server, including installed apps, GPS locations, SMS, contact information, device information, metadata of images, and more. This stolen information is then used by malicious actors to blackmail and threaten the victims into paying excessively high-interest rates. As seen in the screenshots below, reviews of this app show the predatory and threatening behaviors behind the malicious actors.

Due to the nature of the data theft and blackmail in this predatory loan campaign, this malware poses a risk to enterprises just as it does to individuals. The malicious application collects a wide range of data from the victim’s device, and any enterprise-related material would be included in this theft, including potentially sensitive and proprietary information. Any device connected to enterprise data, whether corporate-owned or part of a BYOD policy, poses a risk to the enterprise if a user uses that device for the MoneyMonger predatory loan scam.

How MoneyMonger Works

The malicious actors behind MoneyMonger are constantly developing and updating the app to avoid detections by adding XOR encryption in the string on the Java side while also adding more information in the Flutter-dart side.

The MoneyMonger infected app requests access to the following permissions in order to collect and exfiltrate a wide variety of data and perform a wide range of malicious actions:

  • Camera Access
  • Contact List
  • GPS Location Data
  • Sound Recording
  • Call Logs
  • SMS Lists
  • Storage and File Lists

Similar to other mobile malware and spyware we have discovered, the MoneyMonger malware requests permissions from the victim in order to carry out the collection of critical and private information. Once access is granted to the malicious application, it is capable of collecting and sending the private data to a private server for use in blackmail later on.

These malicious apps are built in the Flutter framework, so part of the code exists within the Flutter code, obfuscating it from traditional Android malware detection. When the application starts, it collects the encrypted configuration within, decrypts it using an AES algorithm and then decrypts the “config” about the application at runtime.

Url Mapping:
Image 6: URL mapping
Image 6: URL mapping

App ID:

The above configuration defines the data collected from user devices that will be stored in fluentd (Open source data collection library).

Image 7: Application ID
Image 7: Application ID

Once the application has decrypted, its config is stored in the file “FlutterSharedPreferences” and the app presents the user with the privacy policy:

Image 8: Screenshot of the malicious application explaining permission gathering and privacy policy
Image 8: Screenshot of the malicious application explaining permission gathering and privacy policy

Once the user accepts the privacy policy, the application requests the following permissions:


By the use of ContactsContact API, the application can collect this information and store it in a hashMap that would be returned when this method finishes. The Java flow responsible for collecting information on the contacts is presented in the following image (Image 4).

Image 9: Collecting the victim’s contact information
Image 9: Collecting the victim’s contact information


The information of the SMS is obtained by accessing android.provider.Telephony.Sms.Inbox. This contains all text-based SMS data in the SMS app inbox. This method also has the sharedPreferences value “smsCount” that indicates the number of SMS to read. Like the previous flow, the application needs the user to give it SMS access permission.

Image 10: Collecting the victim’s SMS history
Image 10: Collecting the victim’s SMS history


To obtain the location, the application uses the LocationManager API, and as in the previous information, it obtains that information and returns it in a Map<String, Object>.

Image 11: Collecting the victim’s GPS location
Image 11: Collecting the victim’s GPS location

Access to files/photos:

During dynamic execution and analysis, the zLabs team observed the exfiltration of information off the victim’s device. This information includes metadata related to various files on the device. A possibility also exists for exfiltration of actual files off the device, but that was not observed dynamically.

The stolen information is uploaded to a private server.

Image 12: Accessing the victim’s files and photos
Image 12: Accessing the victim’s files and photos

However, the research team observed that in the Java side the application also has the possibility of uploading:

  • Complete images: (“pickImages”) → com.sangcomz.fishbun.ui.picker
  • Thumbnails (“requestThumbnail”)
  • Metadata (“RequestMetada”) → This information was the only one captured in the dynamic execution.
Image 13: Images collecting flow triggered from Flutter code
Image 13: Images collecting flow triggered from Flutter code

Other permissions requested:

Permissions to make and manage phone calls: The application has another flow that could be triggered, checking if the app contains a SIM in the device. The app creates an action.CALL intent and verifies if the getSimState == 5 (SIM_STATE_READY). Inside Flutter, this method would be triggered by calling checkServiceStatus.

Image 14: Check if the phone has a SIM card inserted in the device
Image 14: Check if the phone has a SIM card inserted in the device
Image 15: Flutter method “checkServiceStatus” responsible of triggering the flow presented in Image 14
Image 15: Flutter method “checkServiceStatus” responsible of triggering the flow presented in Image 14

The Communication Between Flutter and Java

The communication between Flutter and Java is done via MethodChannel. The following screenshot provides private information that would be leaked in the Java side:

  • device: Information about device (fingerprinting)
  • app: Information about the application installed in the device
  • contacts: Information about the contacts explained above
  • sms: Information about the SMSs
Image 16: Method on Java responsible for collecting the victim’s private information.
Image 16: Method on Java responsible for collecting the victim’s private information.

These methods collect the information mentioned above, and when traced backwards, we find that the original method that triggers “Collects_privateInfo” (renamed) is called “getAlldeviceInfo” in the Flutter code.

Image 17: Flutter method “getAlldeviceInfo” responsible of triggering collects_privateInfo()
Image 17: Flutter method “getAlldeviceInfo” responsible of triggering collects_privateInfo()

When we take a look to the traffic generated by the app, we see that the information exchange between the app and the C&C (https[://]app[.]fastrupe[.]com) is encrypted and decrypted with the methods aesEncrypt/Decrypt, using the key=“D4JcGjcw489iiEq1” and IV= “D4JcGjcw489iiEq1” for both methods.

Image 18: Encrypted communication intercepted
Image 18: Encrypted communication intercepted

After decrypting and analyzing the communication, we obtained the following information:

  • https[://]app.fastrupe[.]com/centrism-hippie-administratress/epiploon/dangler: Google token 
  • https[://]app.fastrupe[.]com/eventful-levallorphan-computerlike/dimethylmethane-berceuse: Event Log communication

Private information sent to the C&C:

  • https[://]app.fastrupe[.]com/carburet-bedrock-hydropsychotherapy/cosmology-deintegro: GPS_info
  • https[://]app.fastrupe[.]com/seventyfold-goral/harvey-cryosorption: getOSStoken
  • URL of private storage with stolen data: (https[[://]]oss.fastrupe[.]com/{AppId}/{MD5})
  • https[://]  Upload JSON with URLs where personal information of the users are uploaded automatically.

During the threat analysis, the zLabs team was able to access the collected information from the malware, as detailed below:

{“model”:{“ossFile”:”https[://]oss[.]fastrupe[.]com/2m86p1di/f9af4bfa96fd41a597aab380f683d877″,”ossType”:”DEVICE”}}… → Information about the device.

{“model”:{“ossFile”:”https[://]oss[.]fastrupe[.]com/2m86p1di/c467769ca99d4d15a849d05a598deb58″,”ossType”:”APP”}}…… → List of apps installed in the devices.

{“model”:{“ossFile”:”https[://]oss[.]″,”ossType”:”CONTACT”}}.. → List of contacts.

{“model”:{“ossFile”:”https[://]oss[.]″,”ossType”:”PHOTO”}}…. → metadata info about the pictures in the devices.

{“model”:{“ossFile”:”https[://]oss[.]″,”ossType”:”SMS”}}…… → Upload the SMSs info only if the SMS list is not empty.

Who are the Victims of the Threat?

While the total number of victims of this variant of the MoneyMonger malware and blackmail scam is unknown due to the use of third-party stores and sideloading for distribution, many of the unauthorized app stores report over 100,000 downloads of the malicious application. And based on the number of downloads of previously active variants, it is safe to assume the malicious actors behind this campaign are successfully socially engineering victims into falling for the predatory loan scams.

The app relies on geo-specific targeting for its predatory loan schemes. This specific variant of the Flutter-obfuscated MoneyMonger targets Indian residents, and other variants of this app have been discovered targeting residents of Peru. However, users who install the application would suffer a private information leak even before requesting the loan.

The MoneyMonger malware campaign highlights a growing trend by malicious actors to use blackmail and threats to scam victims out of money. Similar to what is seen with ransomware, these types of campaigns are increasingly common due to their success in leaving victims feeling helpless in the situation. Quick loan programs are often full of predatory models, such as high-interest rates and payback schemes, but adding blackmail into the equation increases the level of maliciousness. And due to the financial uncertainty many people globally are experiencing, it is no surprise to find this malware type growing in popularity.

Zimperium vs. MoneyMonger Malware

Enterprise customers of Zimperium are protected against this newest MoneyMonger malware variant with our on-device z9 Mobile Threat Defense machine learning engine despite using Flutter as an obfuscating framework. Zimperium’s patented on-device detection provides advanced security and protection against device, network, network, app, and web threats, keeping both personal and enterprise data private and secure.

Zimperium on-device phishing classifiers detect the traffic from the malicious domains with our machine learning-based technology, blocking all traffic to the command and control servers.

To ensure your Android users are protected from MoneyMonger malware, we recommend a quick risk assessment. Any application with the MoneyMonger code will be flagged as a Suspicious App Threat on the device and in the zConsole. Admins can also review which apps are sideloaded onto the device, increasing the mobile attack surface and leaving data and users at risk.

Indicators of Compromise

Applications that contain Flutter native file:

  • com.fastrupee.fastrupeepeefa
  • com.handyloan.loanhandhwinload
  • com.flashrupee.rupeeflashfrup
  • com.pokemoney.pokemonenyfb
  • com.goloans.goloansgood
  • com.gocasho.cashgcshoe
  • com.goldcash.cashgolddocahs
  • com.buddyyrupee.rupeehahrebu
  • com.hello.rupee.hellorupee

Android app bundle (without

  • com.mas.prestamos.premas.ccn
  • com.fastcoin.coinffafasecoin
  • com.cashanytime.timecahshelob
  • com.oneloans.loansonejdsj
  • com.dutta.rupee.duttareppeof

Complete list of hashes

Applications that contain Flutter native file:

  • 8db66f5794ce37cc1f3f341a2e3455c2dbdf1c80
  • 1e8a2c8d649d0640eae53895d7297e1fbc737f5f
  • 55ea2ff327015dcadfb54b3c3b000ae51f175f10
  • 90aa04cf96df0a487008f374d9c60827ef34fed0
  • 4f430eabdf27b750a23054fe25a9d27be1e74dd1
  • 9b6fb2078d1bbea53a3194fc014b8f9356f90aea
  • 07eb4126c4b18476ff2033c021569b3761c0d477
  • 92911fd36f0a2e5e50dcc6d7a0e418cd28c7faa2
  • 7dda134218ed4146844e09504bc249b107ad64d4
  • 349a91b528fa5ed77a31d8663a41d2f3bc2915f0
  • c1ecb0b5aed51b96e6ffc7ba5e2f3adce5abd92f
  • 9ca5af1f9f594b4e19a77ace057441bc4cb010a5
  • 38a921ac895e1d1d00030778e5c8609658deb037
  • 53928ede30034f3528288318cb953d745d2e8ebb
  • d58eeed6cbf924c164f4977fb0183995d141226d
  • c14ce04526ea81f33f83ed0549d67e28372cd64b
  • dfe405c12e34ad923cd1b37cacacaf4e2aa03724

Android app bundle (without

  • f266f7e0b813ebbee5e062578a4b59045fa54e2e
  • 502a802b6ff3f054f58b116330ee8a3504ad73af
  • ee3f9974bfec0d99cb40faa05c32ce88ca9f9eb4
  • d58eeed6cbf924c164f4977fb0183995d141226d
  • 6f78c8401f2d902556f5894ed57f43ad0c960c38
  • b23ba35f30955fa811471a5aa7db35e60c7afb83
  • f4f057f71c8aff5fe62659b325d57da4e6f9a6eb
  • e19cc4344e30669c25d07fc208b8d153376433b8
  • 3fd47e7e068aa6ca519ae07bd48ca8edbdeb7479
  • d9e5acfd4131b069775ed906974d64e52c7b7ed0
  • c4eee81efd3949b6a567457e4e60eb5ea103d488
  • 8d50dbec837c1317ee5f171f835e67ff81f7a6e6
  • 74a961fc6c0e8e2b4b99a52968a5b3e43d4ff3af
  • 5cfc5a2375b0b77935612a9591aaadc9b7cf8267
  • 1f0b55438f5f4377586fb1b2ef64abcd2b896d0c
  • f38243081ff4654f064cb1d27e8b23299954c90b
  • 1d351597d69f878c028f0dd5300823c6feb3ba40
  • 326192ad67422da2f9d496bf15da0f5992db9d6f

Complete list of CC servers

  • https[://]app.flashrupee[.]com
  • https[://]app.magicloan[.]space
  • https[://]app.flashrupee[.]xyz 
  • https[://]app.loanresources[.]space
  • https[://]app.buddyrupee[.]com 
  • https[://]app.moneysnap[.]space
  • https[://]app.goldcash[.]vip
  • https[://]app.go-cash[.]net
  • https[://]app.safetyloan[.]xyz
  • https[://][.]xyz
  • https[://]app.flashrupee[.]space
  • https[://]app.masprestamos[.]xyz
  • https[://]app.handyloan[.]xyz 
  • https[://]app.swipecredit[.]space
  • https[://]app.instantcredit[.]space
  • https[://][.]xyz
  • https[://]app.holdloan[.]xyz
  • https[://]app.rainbowcash[.]space
  • https[://]app.smallcredit[.]xyz
  • https[://]app.duttarupee[.]com
  • https[://]app.hellorupe[.]com
  • https[://]app.coin-cash[.]xyz
  • https[://][.]com
  • https[://]app.timecredit[.]xyz 
  • https[://]app.moneytreess[.]space
  • https[://][.]xyz
  • https[://]app.cashmarket[.]space
Avatar photo
Malware Researcher. View the author's experience and accomplishments on LinkedIn.

Get started with Zimperium today