FluBot: Strike against SMS-based Android malware

Europol has announced the dismantling of FluBot, a fast-spreading variant of Android malware.

In an international law enforcement operation involving 11 countries were involved, Europol’s European Cybercrime Center (EC3) switched off the so-called FluBot spyware. In doing so, they “located Flubot’s most critical infrastructure after a complex technical investigation”. In early May, the Dutch police (Politie) managed to successfully take over the infrastructure, rendering this malware strain inactive. Europol informed about this in a press release.

Australia, Belgium, Finland, Hungary, Ireland, Spain, Sweden, Switzerland, the Netherlands and the United States were involved in the current measure. The Dutch police announced that the server takeover separated tens of thousands of victims from the FluBot network. It also prevented over 6.5 million SMS spam from reaching potential victims. Back in March 2020, Spanish police arrested four suspects who were then considered key figures in the FluBot operation since the malware had mainly infected users in the region.

However, the pause in propagation was short-lived. The malware infected numerous devices in several other nations. Europol states:

“With cases spreading across Europe and Australia, international police cooperation has been key to to switch off the criminal infrastructure of FluBot”.

However, Europol currently emphasizes that the FluBot infrastructure is under the control of the law enforcement authorities. As a result, there will be no further dissemination. EC3 further informed that the investigation is ongoing to identify the individuals behind this global malware campaign. There have not been any arrests in this operation so far.

FluBot: Security risk through SMS notifications

The first in December 2020 Android malware FluBot stole access data for bank and cryptocurrency accounts, among other things. It was also able to access SMS content and monitor notifications, allowing it to intercept two-factor authentication and OTP codes. FluBot owed its rapid spread to, among other things, the misuse of the contact list of infected devices. This enabled the malware to send short messages (SMS) to all contacts via a trusted person.

The malware spread through smishing. Usually, a smartphone user initially received an inconspicuous text message. This could allegedly come from a reputable shipping service such as DHL or FedEx. The message referred to an alleged package delivery and contained a link promising further details or via which a fake delivery could be tracked. The content of the SMS message could vary.

Malware asks for comprehensive access rights

By clicking on an attached phishing link redirected to a fake website. This initiated the download for the FluBot malware. After that, FluBot started and informed the victim that further actions were needed to run the application. The developers apparently rely on the fact that it is often difficult for laypeople to recognize what they allow the software to do with certain releases.

Once installed and given all necessary permissions, FluBot could monitor any open application. Once the malware detected one of the targeted apps, the information theft began. To do this, FluBot used a fake overlay on the screen and tricked the user into entering their credentials, which were then sent to the cyber criminals behind the malware. Credit card information theft was also possible through a fake Google verification site.

Source: Europol

Europol suggests that potential victims should perform a factory reset on their own device in order to fix infection.


About Antonia Frank

Antonia has been an author at the magic hat since January 2016. She started out with book reviews. In the meantime, she prefers to write about legal topics, such as P2P cases, but she also takes up other Internet topics, such as cybercrime. Her interests are mainly related to literature.


Related Articles

Back to top button