FluBot Malware Strain Taken Down in Multi-Agency EffortEuropol: Probe Into Identifying Actors Behind Threat Campaign Is Ongoing
Android spyware FluBot's infrastructure was disrupted by the Dutch police as part of a multinational law enforcement operation in May, rendering this strain of malware inactive, Europol says.
"This technical achievement follows a complex investigation involving law enforcement authorities of Australia, Belgium, Finland, Hungary, Ireland, Spain, Sweden, Switzerland, the Netherlands and the United States, with the coordination of international activity carried out by Europol's European Cybercrime Centre," Europol says.
The agency says that the investigation into identifying the actors responsible for the malware campaign is "ongoing."
How FluBot Works
The spyware was spotted by cybersecurity firm Proofpoint in November 2020. The company says it has tracked FluBot campaigns in the U.K., Germany, Hungary, Italy and Poland.
The agency also details how an Android user is infected by FluBot. Users are tricked into downloading the malware using a text message that prompts them to click a malicious link. This link usually shows up as a "click here" option that claims to carry out functions such as tracking packages or listening to a voice message.
"Once installed, the malicious application, which actually was FluBot, would ask for accessibility permissions. The hackers would then use this access to steal banking app credentials or cryptocurrency account details and disable built-in security mechanisms," Europol says. "This strain of malware was able to spread like wildfire due to its ability to access an infected smartphone's contacts. Messages containing links to the FluBot malware were then sent to these numbers, helping spread the malware ever further."
Proofpoint says that although FluBot has updated its malware several times, all its campaigns follow the same pattern (see: FluBot Spyware Spreads Across Europe).
The target receives an SMS text message portrayed as being from FedEx, DHL or another delivery firm, stating that a package awaits them and that they should click on a link to find the package's arrival time. Once the link is clicked, the malware download process begins. In addition to displaying delivery services' logos, the malware also contains legitimate-looking Android Packaging files with FluBot encrypted and embedded inside to help bypass security.
"FluBot v3.7 uses package names of com.tencent.mobileqq and com.tencent.mm with FedEx, DHL, and Correos lures while v4.0 uses a package name of com.eg.android.AlipayGphone with DHL lures," Proofpoint says in its report.
After the malicious APK is installed, FluBot still does not have full access to the device. So the attackers trick the victim into providing additional permissions to obtain information about their delivery through a series of pop-up notices that appear on the phone asking for permission to observe the victim's actions on the device, retrieve window content and turn on notification access.
Once the victim grants the permissions, FluBot is installed. It acts as spyware, an SMS spammer and a credit card and banking credential stealer, Proofpoint says. When reaching out to the attackers' command-and-control server, the malware sends the victim's contact list and retrieves an SMS phishing message and number to continue its spread using the victim's device.
FluBot was among the top 10 Android banking Trojans identified by mobile security platform Zimperium.
Top 10 Android Banking Trojans
In the report shared with Information Security Media Group, the company examined 10 "prolific banking Trojans" targeting 639 Android financial applications in the banking, investment, payment and cryptocurrency segments. They all have more than 1 billion downloads on the Google Play Store.
Apart from FluBot, the other top 10 Trojans include BianLian, Cabassous, Coper, EventBot, ExobotCompact.D/Octo, Medusa, Sharkbot, Teabot and Xenomorph.
The researchers at Zimperium say that BBVA Spain is among the most targeted banking applications, and at least six of the 10 reported banking Trojans - FluBot, Medusa, Xenomorph, Coper, ExobotCompact.D/Octo and Sharkbot - target it.