Android FluBot Malware – spreading rapidly across Europe, might target the US!

PureID

Ramya Erramilli

May 4, 2021

Android FluBot Malware

FluBot is a banking malware that is specifically attacking Android phones and stealing bank details and passwords from your device. Like Covid-19, this malware has spread across a wide range of English speaking countries rapidly causing some irreparable damage. 

FluBot uses “smishing” - phishing using SMS and text messages. These attacks have seen a huge rise in the recent past. 

The Impact of the Attack 

Originated in Spain, then spread to Germany, Hungary, Italy, Poland and UK,  the malware is believed to have made over 7,000 victims in the UK alone, where the campaign operators were using more than 700 unique domains for the distribution of FluBot. 

Proofpoint says that U.S. users have already started receiving German and English-language phishing SMS messages, suggesting that the threat actor is getting ready to expand to this country. The pattern is similar to how the attacks started in the UK, where users first received German messages and then English ones.

Infection Stages

Smishing 

Here, an SMS with a malicious link is sent to the user disguising as famous delivery service organisations such as DHL & FedEx, on an hourly basis.

The malware requires user interaction to get access to the Android device. 

Reference:  https://tinyurl.com/2vctczzy

On clicking the link you’re redirected to a fake website, where you have to download an APK. 

Permission Acquisition

During the installation of this fake app, a misleading prompt appears asking for full access to SMS and networking, address book including device management.

The Attack

The malware after acquiring complete permissions carries out the malicious activity which includes and is not limited to

  1. Reading and forwarding sensitive SMS/OTPs
  2. Screen overlays on net banking apps to capture the passwords entered by the user
  3. Intercepting incoming messages and notifications, 
  4. Opening webpages.
  5. Disabling Google Play Protect. 
  6. It also can uninstall other applications. 
  7. It will also access contact details and send out additional text messages, spreading the spyware further.
Reference: https://tinyurl.com/2vctczzy

Protection & Precaution 

The National Cyber Security Centre (NCSC) warns users about this malware and its methodology, where you are obligated to download a tracking app because of a missed package.  It recommends Android users to practice following precautions 

  1. Do not click on links in unsolicited messages.
  2. Do not download APK from any website, other than Google Play Store.
  3. Do not give unnecessary permissions while installing an APK downloaded from a reliable source.
  4. Scan your Android device frequently with a legitimate anti-malware application.
  5. Never store passwords or banking information locally on your Android device.
  6. If you have used a phone for internet banking, double-check your account with the bank and report any fraudulent activity immediately.

As long as systems are using passwords, adversaries will find various ways and tools to steal them. We highly recommend that enterprises adopt passwordless authentication for critical services.

References:

https://www.ncsc.gov.uk/guidance/flubot-guidance-for-text-message-scam

https://blog.f-secure.com/flubot-android-malware/

https://www.91mobiles.com/hub/flubot-malware-android-phone-steals-netbanking-passwords/

Share this article    

Connect with Us!

Subscribe to receive new blog post from PureID in your mail box