Finnish officials from The National Cyber Security Centre (NCSC-FI) posted a “severe malware blizzard” alert last week, warning local Android users of a Trojan dubbed FluBot that’s spreading aggressively through SMS, stealing online banking information, and threatening to snowball out of control. First spotted over the summer, when it flooded thousands of victims with fake “failed parcel delivery” messages, FluBot was thought to be extinct by the end of August. However, it made a surprising come-back in the fall, rebranded as a fake voice mail notification.
Although Android Trojans are nothing new, and mobile threats are increasing by the minute, FluBot is a particularly worrying example of “new malware” because of its capacity to adapt.
Why is FluBot so dangerous?
It’s spreading exponentially. FluBot performs both as a banker and as spyware. That means that, once installed on your Android device, it will steal your credit and debit card information, raid any crypto stock you may have, and inflict significant financial loss. But it will also copy your contact list and automatically send infected links, via SMS, to all the numbers saved in your phone. That’s the main reason why, even though things might seem under control from time to time, a new outbreak is always brewing.
It’s constantly adapting. FluBot is spreading exclusively through links received via text message. When the victim clicks the link, they’re immediately directed to a phishing page that seems like the real deal but tricks them into downloading the malware and granting it permission. Although the method is always the same, the story changes periodically, and it’s harder and harder to spot. For example, in the beginning users were scammed to believe the message comes from a delivery company addressing a problem with a parcel delivery. “A deliveryman tried to contact you but there was no answer. Click here to reprogram your delivery.” However, after a while, the text messages changed, and users were informed somebody is trying to share pictures with them. “Your friend shared a photo. Click the link to see it.” When this method started flopping, the attackers began sending messages that ironically warned users their phones are infected with the FluBotvirus and they need to take immediate action. Finally, more recently, all the infected links have been made to look like voice mail notifications.“You have 1 new Voicemail(s). Go to link!”
It’s not geographically contained. Finnish authorities intercepted millions of infected messages sent in just a few days. However, before Finland, FluBot targeted English-speaking Android users in Australia and New Zealand. Before that, the malware was detected in the UK, Germany, France, Poland and Hungary. Digging even deeper, we find out FluBot, or Cabassous, as it was known at the time, was first spotted in the wild in Spain, in December 2020. So how can the same malware adapt so quickly and move between different countries? The answer is simple but very disturbing: its initial makers are probably selling it as a service to criminal groups in other countries, the same way ransomware attacks and phishing campaigns are regularly auctioned on the Dark Web.
What can you do to stay safe?
- Back up all your data periodically. If you have reason to believe your Android phone is infected, factory-reset your device, but be very careful because this will also erase all your unsaved personal data. Restore your device using a backup made before you were infected and change all your passwords.
- Treat all mobile links with extreme caution
- Watch out for suspicious text messages
- Fight the urge to click on links you receive via SMS, even if the message seems to come from a reliable source
- Track your deliveries independently
- Don’t log in to pages through links you receive in messages
- Don’t install apps or updates through suspicious links
- Don’t rush into any action, even if the message seems urgent
Because accidents can happen even to the wary, it’s always good to have a safety net. Bitdefender Mobile Security for Android protects your personal data, including your financial information, gives you instant alerts whenever an incident is prevented, warns you of webpages that contain malware, phishing or fraudulent content and flags malicious links arriving via SMS, messaging apps and pretty much any type of notification.