Flubot ( Banking Trojan ) – Malware

Overview

FluBot is an Android malware distributed via phishing SMS messages (Smishing), most often impersonating logistics delivery brands. Once the user clicks the link inside the message, they are redirected to the download of a fake application containing FluBot. Once installed the malware has various capabilities to harvest credentials and support the Smishing operation itself, including uploading of the contacts list, as well as sending SMS messages to other phone numbers.

Targets

Android devices users in different countries (primarily in Europe).

Tools/ Techniques Used

Cyber criminals distribute FluBot via SMS messages. They send messages (in different languages) containing a fake shipment tracking website designed to download an APK file, which has similar appearance to the installer for the FedEx application. During installation, the fake FedEx application (FluBot malicious application) asks for various permissions.

For example, to read contacts, write, read and send SMS messages, read the phone state, keep the device awake, create notifications and post them using the startForeground feature. It also asks permission to initiate phone calls (without going through the Dialer user interface), delete packages, allow querying of any normal app installed on the device, and allow applications to open network sockets. FluBot can receive commands via a Command and Control (C&C) server, including commands to uninstall applications, block the card, upload SMS messages, open URLs (website addresses), extract contact lists, disable Google Play Protect, and various other commands.

References

1. What kind of malware is FluBot?