FluBot takedown: Law enforcement takes control of Android spyware’s infrastructure

An international law enforcement operation involving 11 countries has disrupted the spreading of the FluBot Android malware, which spreads via SMS and MMS and steals sensitive information – passwords, online banking details, etc. – from infected smartphones.

How widespread is the spyware?

FluBot was first spotted in December 2020, and it went on to affect users across the world.

“The malware was installed via text messages which asked Android users to click a link and install an application to track to a package delivery or listen to a fake voice mail message. Once installed, the malicious application, which actually was FluBot, would ask for accessibility permissions. The hackers would then use this access to steal banking app credentials or cryptocurrency account details and disable built-in security mechanisms,” Europol explained.

The Dutch Police (Politie), who took control of the malware’s infrastructure earlier in May, made the malware inactive.

“To date, we have disconnected ten thousand victims from the FluBot network and prevented over 6,500,000 spam text messages,” the Politie shared.

The lure SMS would usually take the form of a well-known parcel delivery service (DHL, for example) and would invite users to click on a link to listen to a voice message or download an app from the parcel service (after disabling the device’s security settings).

“Victims often do not know that they have installed the malware. The further spread of the malware also happens without the user of a mobile phone noticing. As FluBot spreads further by using contact lists in a phone, the malicious software spreads like wildfire,” the Polities added.

FluBot can only infect Android smartphones, but the crooks behind this malware have also been known to target iPhone users, as well – just not with malware. In a recent campaign targeting Finnish users, the page from which the Android package was served to targets would redirect iPhone users to premium subscription scam pages.

The operation aimed at disrupting FluBot infrastructure involved law enforcement agencies from Australia, a bevy of European countries, and the US, and was coordinated and aided by Europol.

“Europol’s European Cybercrime Centre brought together the national investigators in the affected countries to establish a joint strategy, provided digital forensic support and facilitated the exchange of operational information needed to prepare for the final phase of the action. The J-CAT, hosted at Europol, also supported the investigation. A virtual command post was also set up by Europol on the day of the takedown to ensure seamless coordination between all the authorities involved,” the agency added, and said that the investigation continues in an effort to identify the individuals behind this global malware campaign.

What to do if you’ve been infected with FluBot

“FluBot malware is disguised as an application, so it can be difficult to spot. There are two ways to tell whether an app may be malware: if you tap an app, and it doesn’t open, or if you try to uninstall an app, and are instead shown an error message,” Europol pointed out.

As mentioned before, only Android users can be infected with FluBot, but clicking on the link in the SMS message does not start the installation of the malware. So, if you’re one of the lucky users who have, at the last minute, declined to install the offered fake app, you’re safe.

For those who triggered the download and went through the installation, though, the best option to remove the malware from their phone is to reset it to factory settings.

If you’ve been hit and have reset your phone, you can restore it from a backup, but before you do make sure that the backup was created before the malware was installed.

Then you should:

  • Contact your bank, report the infection and check whether your account has been affected
  • Change passwords for online services you have used on your device
  • Contact your mobile carrier and check for unprecendented subscriptions and charges.

Don't miss