FrameWar: A Wolf in Flutter’s Clothing

How Cybercriminals Are Weaponizing the Flutter Framework for Mobile Malware

Introduction: Flutter’s Dual-Edged Appeal

Since its debut in 2017, the open-source UI framework Flutter, powered by the Dart language, has rapidly become a dominant force in app development. The toolkit enables developers to build high-performance apps from a single codebase across desktop, web, and mobile. Today, it ranks among the top 15 most-used frameworks globally and leads in cross-platform mobile development. 

Our researchers at ActiveFence’s Mobile Threat Intelligence unit have observed that over the past five quarters, Flutter was integrated into 24% of new Google Play apps and 20% of new iOS apps each quarter. The Google Play Store alone hosts over 333,000 active Flutter apps with more than 3.5 billion installs, while iOS adds another 250,000+ apps and 1.8 billion downloads.

But, where developers build powerful tools, threat actors are not far behind, ready to harness them for harmful or deceptive ends. 

 

The Rise of Flutter-Based Malware

Flutter’s rapid growth has ushered in a new era of mobile cybercrime. Malicious developers increasingly exploit the framework’s unique architecture to craft sophisticated campaigns that evade traditional detection methods. Its inherent technical complexity acts as a built-in shield against reverse engineering, presenting an escalating challenge for security teams. 

Flutter’s exploitation is believed to have begun in late 2022 with the emergence of SpyLoan, a Flutter-based evolution of MoneyMonger, followed by FluHorse in mid-2023, the first mobile malware family to implement its entire payload in Dart. By 2024, even legacy malware like TinstaPorn had adopted Flutter, signaling its rise as a go-to weapon in mobile cybercrime. 

Since then, Flutter has been used to develop not only classic types of malware, such as trojans, spyware, and billing fraud, but also a wide array of seemingly benign yet unwanted apps, including investment scams, betting and gambling platforms, and predatory loan apps.

 

Why Cybercriminals Love Flutter

While originally built for speed and cross-platform efficiency, Flutter’s architecture is also deeply resistant to scrutiny. Unlike more familiar development environments like Java or Kotlin, Flutter compiles code directly into native machine instructions. This results in a sealed code snapshot, stripped of names, documentation, and debug indicators, that interacts with the CPU in unconventional ways. For researchers, it is not just hard to read; it is a maze of connected parts, where understanding even one function requires sifting through hundreds of tangled pieces. Frequent Dart and Flutter updates further complicate matters, often breaking security tools and leaving researchers with opaque binaries and little context to analyze.

Compared to Android’s bytecode or even other cross-platform frameworks like React Native, which use minified but accessible JavaScript, Flutter hides its logic in a shifting labyrinth of raw native code, perfectly suited to conceal malicious intent. This built-in complexity is exactly what makes Flutter attractive to threat actors, who increasingly use it to cloak their activities. 

Combined with its portability, allowing the same codebase to run on both Android and iOS, Flutter becomes a potent weapon. Malicious developers can scale fast with minimal effort and maximum impact. Despite the steep learning curve, like mastering Dart or embedding payloads into low-level binaries, the payoff is clear: stealth, reach, and extended campaign longevity.

 

Rethinking Mobile Threat Detection

The growing abuse of Flutter reflects a broader shift in the mobile threat landscape. Traditional reverse engineering, which depends on code visibility, falls short here—Flutter compiles logic into native snapshots that remain opaque until runtime. This demands a move from structural to behavioral analysis, where researchers must trace execution, monitor system-level interactions, and correlate activity across platforms.

Flutter’s cross-platform portability creates a shared attack surface for both Android and iOS. While OS-specific analysis remains useful, focusing on a single platform risks missing patterns that span ecosystems. A holistic, cross-platform perspective is now essential. Additionally, Flutter’s architecture disrupts standard threat detection workflows, forcing analysts to rely on forensic traces, app store metadata, and campaign-level behavioral signals to uncover true app functionality and intent.

To stay ahead, security teams must rethink their assumptions about visibility and frameworks. Flutter blurs boundaries between platforms, app layers, and even the distinction between benign and malicious code. Mobile threat intelligence must evolve, becoming more adaptive, framework-aware, and centered on understanding intent rather than isolated artifacts.

 

Conclusion

Flutter’s architecture was built for speed, portability, and IP protection, ironically, the same traits now exploited for harm. It allows harmful behavior to be obscured within native binaries, evading detection for longer than ever while complicating reverse engineering. 

This is the essence of the “FrameWar”: not just a battle over code, but over visibility, strategy, and time. As cybercriminals evolve with modern frameworks, defenders must respond with sharper tools, deeper collaboration, and a clearer understanding of how Flutter reshapes the threat surface. Ignore it, and we will keep losing ground, one compiled snapshot at a time.

At ActiveFence, we work with leading security teams to uncover emerging cybercriminal infrastructure and mobile malware campaigns, like those abusing Flutter. We track malicious developers, map distribution networks, and expose tactics at scale to help platforms detect system misuse and stay ahead of emerging threats. 

Want to learn more about our Threat Intelligence solutions or speak with one of our experts? Get in touch with us today.