The 2026 Android Banking Trojan “FlutterRAT”: Dart-Powered Cross-Platform Mobile Attacks

Executive Summary

In March 2026, Oracle-42 Intelligence identified a novel Android banking trojan codenamed FlutterRAT, which leverages Google’s Dart programming language and the Flutter framework to deliver cross-platform mobile malware capable of targeting both Android and iOS users simultaneously. The trojan represents a significant evolution in mobile threat tactics, exploiting Dart’s cross-compilation capabilities to bypass traditional platform-specific detection and obfuscate its malicious payload. Early telemetry from EMEA and APAC mobile networks indicates active distribution via fake banking apps, trojanized productivity tools, and smishing campaigns impersonating regional financial institutions. This report provides a comprehensive analysis of FlutterRAT’s architecture, propagation vectors, and evasion techniques, alongside strategic recommendations for mitigation, detection, and response.

Key Findings

• First major Dart/Flutter-based mobile banking trojan observed in the wild, with confirmed samples targeting Europe and Southeast Asia.
• Uses cross-platform compilation via Flutter to deploy identical malicious logic on Android and iOS devices from a single codebase.
• Employs advanced obfuscation (string encryption, control flow flattening) and runtime API hooking to evade static and dynamic analysis.
• Incorporates on-device fraud engines for real-time interception of SMS OTPs, screen scraping, and overlay attacks.
• Distribution leverages sms-based phishing (smishing), fake app stores, and social engineering campaigns in multiple languages.
• Undetected by most legacy mobile AV engines due to novel use of Dart’s JIT/AOT compilation and Flutter’s widget-based UI framework.

Technical Analysis: Architecture and Behavior

1. Dart/Flutter Cross-Platform Foundation

FlutterRAT is written primarily in Dart, compiled to native ARM code via Flutter’s Ahead-of-Time (AOT) engine for Android and iOS. The attacker uses a single codebase to generate binaries for both platforms, drastically reducing development time and enabling synchronized campaigns. Flutter’s widget system allows the malware to render convincing fake UIs (e.g., login screens) that closely mimic legitimate banking apps, increasing user trust and credential harvesting success.

Notably, Flutter apps run in a Dart virtual machine context, which enables dynamic code loading and reflection—capabilities frequently abused for runtime manipulation and payload staging.

2. Delivery and Installation Vectors

FlutterRAT propagates through three primary channels:

• Smishing campaigns: SMS messages containing malicious APK/IPA download links, often in the local language of the target region (e.g., German, Thai, Vietnamese).
• Fake app stores: Spoofed versions of popular apps (e.g., QR code scanners, PDF readers) hosted on third-party repositories or mirrored domains.
• Social engineering via messaging apps: Users are lured into sideloading via WhatsApp or Telegram messages from “bank support” accounts.

Once installed, FlutterRAT requests extensive permissions (e.g., Accessibility, Notification Listener, Overlay), justified with fake “performance optimization” or “security update” pretexts.

3. Obfuscation and Evasion Mechanisms

FlutterRAT employs a multi-layered obfuscation strategy:

• Dart-level obfuscation: Symbol names, strings, and control flow are obfuscated using tools like dart-obfuscator and custom packers.
• Native code injection: Critical components (e.g., keylogging, SMS interception) are compiled to native ARM code and loaded at runtime via Dart’s DynamicLibrary API.
• Anti-tampering: Checks for emulator environments, debuggers, and root detection; exits silently if detected.
• Flutter widget masking: Malicious overlays are rendered as Flutter widgets, blending seamlessly with the host app’s UI and evading traditional overlay detection heuristics.

4. On-Device Attack Chain

The trojan follows a phased attack lifecycle:

1. Initialization: Upon launch, it sets up listeners for SMS, notifications, and accessibility events.
2. Credential Harvesting: Uses overlay attacks to capture login credentials and MFA tokens.
3. Transaction Fraud: Intercepts SMS OTPs and performs unauthorized transfers via injected UI flows or background API calls.
4. Persistence: Maintains presence via device admin abuse, accessibility service persistence, and periodic C2 beaconing.
5. Exfiltration: Encrypted logs and stolen data are exfiltrated via encrypted HTTPS or WebSocket channels to command-and-control (C2) servers in bulletproof hosting regions.

Threat Landscape Implications

FlutterRAT marks a paradigm shift in mobile malware development, lowering the barrier to entry for sophisticated cross-platform attacks. Unlike prior threats that required separate iOS/Android codebases, Flutter enables rapid iteration and reuse of attack logic. This increases attacker ROI and accelerates global deployment.

Additionally, the use of Dart/Flutter complicates traditional mobile forensics, as analysts must now parse Dart heap dumps, decompile Flutter bytecode, and analyze native bridge interactions—a process not yet widely supported by commercial tooling.

Detection and Mitigation Strategies

For End Users and Enterprises

• Disable sideloading: Enforce policies blocking installations from unknown sources; use MDM solutions to whitelist apps.
• Monitor app permissions rigorously: Flag apps requesting Accessibility, Notification Listener, or Overlay without justification.
• Use app reputation services: Cross-reference app signatures and certificates with known malicious hashes (e.g., via Oracle-42 Threat Intelligence Feed).
• Enable runtime protection: Deploy mobile EDR solutions with behavior-based detection (e.g., suspicious UI rendering, C2 communication patterns).
• User education: Conduct phishing simulations and warn users about smishing and fake banking apps in regional languages.

For Security Vendors and Platforms

• Enhance Flutter/Dart analysis: Develop static and dynamic analysis tools capable of parsing Dart bytecode and Flutter widget trees.
• Improve emulator/debug detection: Update mobile AV engines to detect Dart VM–specific artifacts and Flutter-specific function hooks.
• Collaborate with Flutter community: Engage with Google to promote secure development practices and introduce obfuscation warnings in the Flutter toolchain.
• Expand API monitoring: Monitor usage of DynamicLibrary, MethodChannel, and Platform.isIOS/Android for anomalous patterns.

Future Outlook and Threat Evolution

Oracle-42 Intelligence assesses with high confidence that FlutterRAT-like threats will proliferate through 2026–2027, targeting not only banking but also cryptocurrency wallets, trading apps, and identity platforms. Threat actors are likely to integrate AI-driven social engineering (e.g., deepfake voice/video support) to enhance lures, and may expand to wearable platforms (e.g., Flutter-based Wear OS apps).

We also anticipate attempts to bypass Flutter’s sandbox by exploiting platform channel vulnerabilities or leveraging Dart’s FFI (Foreign Function Interface) to call native exploits.

Conclusion

FlutterRAT exemplifies the convergence of modern software engineering and cybercrime, where legitimate development frameworks are weaponized to create agile, cross-platform malware. Its adoption of Dart and Flutter signals a new era of mobile threats that are harder to detect, faster to deploy, and more adaptable to platform defenses. Organizations must adopt a proactive, behavior-based security posture and invest in specialized mobile threat intelligence to stay ahead of this evolving