Prague, Czech Republic, May 4, 2021 – In recent weeks, mobile users in several countries have been receiving SMS messages linking to a banking Trojan called “FluBot”. This threat pretends to be from a delivery company and asks users to install a tracking app in order to track the status of the package, but in fact is used to steal credentials and other personal data. Avast, which already detects and blocks the threat to protect its Android users, continues seeing new samples of FluBot coming in daily via its mobile threat intelligence platform apklab.io.
According to recent research, FluBot so far has already infected 60,000 devices and the total number of phone numbers collected by the attackers was estimated at 11 million by late February/early March.
“The first FluBot attacks have been reported weeks ago, and we still see tens of new sample versions evolving every day,” said Ondrej David, Malware Analysis Team Leader at Avast. “At the moment, primary targets of the attacker’s campaign are Spain, Italy, Germany, Hungary, Poland and the UK. But there is some potential that the scope of operation may be extended to target other countries in the near future. While security solutions block these attacks, the rapid continuation of this campaign shows that it is successful, so we urge people to be very careful with any incoming SMS they receive, especially referring to delivery services.”
How FluBot works
FluBot is an example of an SMS-based malware campaign. It spreads by sending SMS messages claiming the recipient has a package delivery and urges them to download a tracking app using the included link. If the recipient clicks on the link, they’re taken to a site that offers to download the app. The app is malware that, when installed, steals the victim’s contact information and uploads them to a remote server. This information is later used by the server to send additional messages and further distribute the malicious SMS messages to those contacts.
The malicious app uses an Android component known as Accessibility to monitor what’s going on on the device, and to take control of it. For instance, this enables it to show high priority window overlays. In other words, the malware can show something over anything that's currently on the screen. For example, a fake banking portal displayed over a legitimate banking app activity. If the user enters his or her credentials on that overlay screen, they can get stolen.
This component known as Accessibility is also exploited by the malware as a self-defense mechanism to cancel any uninstallation attempts by affected users, which makes it difficult to remove from infected devices.
“What makes this malware particularly successful is that it disguises itself as postal/parcel delivery services, using text along the lines of ‘Your parcel is arriving, download the app to track’ or ‘You missed your parcel delivery, download the app to track’, to which a lot of unsuspecting users would easily fall victim. This is especially the case in the current situation where some form of home delivery has become the standard mode of operation for many businesses during the pandemic,” said Ondrej David.
During the pandemic, more people have grown used to online shopping and it is not uncommon to be receiving parcels and packages often. Two-thirds of consumers have increased their online shopping activities compared to before the pandemic. Cybercriminals that develop malware like this take advantage of trends and current events to make sure they attract as many potential victims as possible.
How to protect yourself from FluBot?
First and foremost, install an antivirus solution that prevents threats like FluBot. Avast Antivirus for Android detects and alerts users about the threat protecting users. Also, if you think you already are affected by FluBot, you can install the antivirus app to run a scan on your device to identify the malware. If it is found, it’s advisable you reboot your device to safe mode and uninstall the detected application from there. With this step, all other third party applications will be disabled momentarily too, but they will be active again with the next regular reboot.
If users think they may have been victim of credential theft via this attack, it’s advisable to reset any passwords for services they feel might have been compromised, such as banking and shopping apps.
Moreover, we recommend users to employ the following measures to protect themselves from FluBot and other mobile phishing attacks:
- Do not click on links in SMS messages. Especially if a message is asking you to install software or apps on your devices.
- Be a skeptic. Err on the side of caution with any suspicious SMS. If you receive a communication you weren’t expecting, it is always best to call the company yourself using the contact information provided on their legitimate website, to confirm the message received. Don’t reply directly to suspicious communication. Always begin a new communication via the company’s official service channels.
- Question the message. It is important that you train your eyes to detect phishing messages. These tend to be generic and spread to the masses, as well as automated messages or messages that present an offer that seems too good to be true (i.e. how to win a new smartphone or inherit a large sum of money from an unknown family member).
- Do not install apps from anywhere but the official app stores. Most major shipping companies have their own apps available for download at trusted stores like Google Play or the Apple App Store. Also, set your mobile device’s security to only install apps from trusted sources like Google Play or the Apple App Store.